49569

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"powershell"; fast_pattern; content:"bypass"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1086/; classtype:trojan-activity; sid:49569; rev:1;)

"Command and Scripting Interpreter(T1059)" "Command and Scripting Interpreter: PowerShell(T1059.001)"

medium

Identify the source and destination and check if the communication is authorized. If Powershell is not allowed according to the security instructions it is recommended to disable powershell in the host. If Powershell is allowed - enforce a strict policy. Block by the FW, Http connections from the internet to the internal network. Search for a relevant cyber attack alerts on the same time \ on the same IPs, can be an attempt to perform lateral movement. Run an antimalware scan on the destination to make sure that the endpoint is clean. If the source is internal IP check which service initiated the communication and verify it.