Suspicious Encoded PowerShell Command Line

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Suspicious encoded PowerShell command line refers to PowerShell code sequence that may be encoded with a malicious intention. A combination of PowerShell process with base64 encoding, obfuscation by adding extra parameters or characters($, %) raises suspicion because it may override the default PowerShell execution policy and evade the detection by security controls in place.

Impact:

This can affect the organizations in the following ways:

• Downloading and executing malwares
• Data exfiltration
• Credential theft

Data source:

Windows:

Required configuration: The rule is based on process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002- Execution

Techniques: T1059- Command and Scripting Interpreter

Sub-techniques: T1059.001-PowerShell

Criteria:

(Command line not contains Execution Policy remote signed) AND((Command line contains -e,-en,enc,-w hidden -e))

Execution Policy remote signed is a PowerShell execution policy that manages the execution of scripts on a system. The "remote signed" in the rule here is looking for the script that is being executed from remote locations such as the Internet and does not have a valid digital signature, which could be a potential indicator of a malicious activity.

Strings with typically "-e", "-en", "enc", "-w hidden -e", are often used to encode or obfuscate suspicious PowerShell commands.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected

When this rule is triggered, you're notified of a potential malicious execution of a encoded PowerShell command line. This enables you to verify the integrity and the authenticity of the executed commands and take corrective measures, such as using digital certificates.

Known false positives: This event might be generated when administrators use encoded PowerShell command lines for legitimate reasons such as automating tasks, executing scripts and some soft install instructions may also use it.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement Principle of Least Privilege: Regularly review and ensure that privileged accounts have the required minimum level of permissions.