Suspicious PowerShell IEX Invocation with String Concatenation

Rule Info

Name
Suspicious PowerShell IEX Invocation with String Concatenation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious PowerShell command patterns using Invoke-Expression (IEX) with string concatenation to potentially obfuscate malicious downloads. Threat actors may use this technique to execute commands that download and run scripts from remote locations, often obfuscating the command to evade detection.
Reference
https://www.virustotal.com/gui/file/eb2688341917d739b2048e39c9913c0c5e0e0d82346757970883c5098a0b77f3/behavior
Date
2025-06-04 00:00:00
Modified
None
Id
5d9f2caf-03c2-42de-8c1e-1a59b22000f7
Tags
attack.execution attack.t1059.001 attack.defense-evasion attack.t1027.010
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022