Suspicious PowerShell Execution Using Curl And IEX

Rule Info

Name
Suspicious PowerShell Execution Using Curl And IEX
Author
X__Junior
Description
Detects suspicious execution of PowerShell processes that utilize curl and iex in the command line. This behavior is commonly associated with malicious script execution, remote code retrieval, and execution from external sources.
Reference
https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983
Date
2025-02-27 00:00:00
Modified
None
Id
8c6f218b-57e8-47f7-907a-41bf00777e99
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022