Detection of Suspicious PowerShell Arguments
This rule detects suspicious PowerShell arguments often used during malware installation, including encoded commands, file downloads, and obfuscation techniques.
This rule, originally published by Elastic and updated on 2026-04-20, identifies the execution of PowerShell with suspicious arguments, a common tactic used during malware installation. Attackers leverage PowerShell's capabilities to execute malicious scripts, download payloads, and obfuscate commands, bypassing traditional security measures. The detection logic focuses on identifying patterns such as Base64 encoded commands, suspicious downloads using WebClient or Invoke-WebRequest, and other obfuscation techniques. This rule is designed to work across multiple data sources, including endpoint logs, Windows event logs, and security solutions like Crowdstrike, SentinelOne, and Microsoft Defender XDR, making it a versatile tool for detecting PowerShell-based threats in Windows environments.
Attack Chain
- An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
- The attacker executes PowerShell.exe with a malicious script or command.
- The PowerShell command includes encoded or obfuscated arguments to evade detection.
- The script downloads a malicious payload from a remote server using
WebClient.DownloadFileorInvoke-WebRequest. - The downloaded payload is saved to disk, often in a temporary directory like
$env:temp. - The attacker executes the downloaded payload using PowerShell, potentially bypassing application control policies.
- The payload establishes persistence, for example, by creating a scheduled task or modifying a registry key.
- The attacker uses the compromised system for lateral movement or data exfiltration.
Impact
A successful attack leveraging suspicious PowerShell arguments can lead to malware installation, system compromise, data theft, and potentially ransomware deployment. While the rule itself doesn't specify a concrete number of victims or targeted sectors, similar attacks have impacted organizations across various industries, leading to significant financial losses, reputational damage, and operational disruption.
Recommendation
- Deploy the Sigma rule "Suspicious PowerShell Arguments with Encoded Commands" to detect PowerShell executions containing Base64 encoded commands, focusing on the
process_creationlog source. - Deploy the Sigma rule "Suspicious PowerShell Download Cradle" to detect PowerShell executions using
WebClientorInvoke-WebRequestto download files from the internet, monitoringprocess_creationevents. - Enable Sysmon process creation logging to provide detailed process information for more accurate detection.
- Review and tune the provided Sigma rules to reduce false positives based on your environment's legitimate PowerShell usage.
- Investigate and remediate any alerts generated by the deployed rules promptly to prevent further compromise.
Detection coverage 2
Suspicious PowerShell Arguments with Encoded Commands
highDetects PowerShell execution with Base64 encoded command arguments, a common technique for obfuscating malicious commands.
Suspicious PowerShell Download Cradle
mediumDetects PowerShell using WebClient or Invoke-WebRequest to download files from the internet, indicating potential malware download.
Detection queries are available on the platform. Get full rules →