rules/windows/process_creation/win_powershell_xor_commandline.yml

title: Suspicious XOR Encoded PowerShell Command Line
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
status: experimental
author: Sami Ruohonen, Harish Segar (improvement)
date: 2018/09/05
modified: 2020/06/29
tags:
    - attack.execution
    - attack.t1086
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: "Windows PowerShell"
        - Product: "PowerShell Core 6"
    filter:
        CommandLine|contains:
            - "bxor"
            - "join"
            - "char"
    condition: selection and filter
falsepositives:
    - unknown
level: medium
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Suspicious XOR Encoded PowerShell Command Line`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: bb780e0c-16cf-4383-8383-1e5471db6cf9`
Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00			`description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00			`author: Sami Ruohonen, Harish Segar (improvement)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`date: 2018/09/05`
Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00			`modified: 2020/06/29`
Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00			`logsource:`
			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00			`- Description: "Windows PowerShell"`
			`- Product: "PowerShell Core 6"`
			`filter:`
			`CommandLine\|contains:`
			`- "bxor"`
			`- "join"`
			`- "char"`
			`condition: selection and filter`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: medium`