Potential Persistence Via Powershell Search Order Hijacking - Task (b66474aa-bd92-4333-a16c-298155b120df)

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Potential Persistence Via Powershell Search Order Hijacking - Task (b66474aa-bd92-4333-a16c-298155b120df)	Sigma-Rules	1
Potential Persistence Via Powershell Search Order Hijacking - Task (b66474aa-bd92-4333-a16c-298155b120df)	Sigma-Rules	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2