Detection rules › Splunk
Invoke-Expression Command (PowerShell)
Detects when PowerShell Invoke-Expression is executed. -- Threat Group Association: Actinium/Gamaredon/Primitive Bear, Andariel, APT29/Nobelium/Cozy Bear, APT31, FIN7, FIN8, Lazarus, TA505, TA551, Turla (akaSecret Blizzard, KRYPTON, and UAC-0003), WinterVivern/UAC-0114, Winter Vivern, WIRTE, Wizard Spider
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
References
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.1
- https://www.fortinet.com/blog/threat-research/offense-and-defense-a-tale-of-two-sides-powershell
- https://www.cyber.gov.au/acsc/view-all-content/publications/securing-powershell-enterprise
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/?utm_campaign=Threat%20Report%20Newsletter&utm_medium=email&_hsmi=203254280&_hsenc=p2ANqtz-_lmhDqWF4dK1aEuVSrgJUOHdLMvJ7ORkr-vdksakqAPIxGFhGLMHMGAUiX4y9HTdUyzYWBQlJ
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '1037.1049'
title: Invoke-Expression Command
description: 'Detects when PowerShell Invoke-Expression is executed. -- Threat Group
Association: Actinium/Gamaredon/Primitive Bear, Andariel, APT29/Nobelium/Cozy Bear,
APT31, FIN7, FIN8, Lazarus, TA505, TA551, Turla (akaSecret Blizzard, KRYPTON, and
UAC-0003), WinterVivern/UAC-0114, Winter Vivern, WIRTE, Wizard Spider - Software
Association: ALPHV/BlackCat, BadHatch, Bazar, Black Basta, Clop, Conti, Cring, IcedID,
LV, Play, PowerShortShell, PurpleFox, PYSA/Mespinoza, Remcos, SamSam, SquirrelWaffle,
Trickbot, XingLocker -- #TrendingThreat #Russia #Ukraine -- Atomics T1059.001 Test
#1 Atomics T1059.001 Test #4 Atomics T1059.001 Test #5 Atomics T1059.001 Test #8
Atomics T1059.001 Test #11 Atomics T1059.001 Test #13 Atomics T1135 Test #6 Atomics
T1059.005 Test #2 Atomics T1059.005 Test #3 Atomics T1134.002 Test #2'
logic_format: Splunk
logic: ' `get_endpoint_data` `get_endpoint_data_powershell` (EventCode=4103 AND ("IEX"
OR "Invoke-Expression")) OR (EventCode=4104 AND ("Invoke-Expression (New-Object
Net.WebClient).DownloadString" OR "IEX")) | table _time, host, user dvc, dvc_nt_host,
event_id, eventtype, host, index, parameters, process, process_name, process_path,
shell, signature_id, source, sourcetype, tag, user, user_id | bin span=60s | stats
values(*) as * by _time, host | where match(process,"(?i)IEX") OR match(process,"(?i)Invoke-Expression")
OR match(process,"(?i)Invoke-Expression\s+(New-Object\s+Net\.WebClient)\.DownloadString") '
techniques:
- execution:command and scripting interpreter:powershell
technique_id:
- T1059.001
data_category:
- PowerShell logs
- Process command-line parameters
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.1
- https://www.fortinet.com/blog/threat-research/offense-and-defense-a-tale-of-two-sides-powershell
- https://www.cyber.gov.au/acsc/view-all-content/publications/securing-powershell-enterprise
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/?utm_campaign=Threat%20Report%20Newsletter&utm_medium=email&_hsmi=203254280&_hsenc=p2ANqtz-_lmhDqWF4dK1aEuVSrgJUOHdLMvJ7ORkr-vdksakqAPIxGFhGLMHMGAUiX4y9HTdUyzYWBQlJ
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (EventCode=4103 AND ("IEX" OR "Invoke-Expression")) OR (EventCode=4104 AND ("Invoke-Expression (New-Object Net.WebClient).DownloadString" OR "IEX"))
Stage 2: table
| table _time, host, user dvc, dvc_nt_host, event_id, eventtype, host, index, parameters, process, process_name, process_path, shell, signature_id, source, sourcetype, tag, user, user_id
Stage 3: bucket
| bin span=60s
Stage 4: stats
| stats values(*) as * by _time, host
Stage 5: where
| where match(process,"(?i)IEX") OR match(process,"(?i)Invoke-Expression") OR match(process,"(?i)Invoke-Expression\s+(New-Object\s+Net\.WebClient)\.DownloadString")
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | "IEX" |
| 1 | "Invoke-Expression" |
| 1 | "Invoke-Expression (New-Object Net.WebClient).DownloadString" |
| 1 | "IEX" |