security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
T

26 lines
889 B
YAML
Raw Normal View History

add powershell_suspicious_windowstyle
2021-10-20 13:57:24 +02:00
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: experimental
description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
Update Ref+Selection
2022-07-11 14:11:53 +01:00
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
add powershell_suspicious_windowstyle
2021-10-20 13:57:24 +02:00
tags:
- attack.defense_evasion
- attack.t1564.003
author: frack113
date: 2021/10/20
logsource:
product: windows
category: ps_script
Add missing definition fields and references
2022-07-07 19:13:01 +01:00
definition: Script block logging must be enabled
add powershell_suspicious_windowstyle
2021-10-20 13:57:24 +02:00
detection:
selection:
Add missing definition fields and references
2022-07-07 19:13:01 +01:00
ScriptBlockText|contains|all:
add powershell_suspicious_windowstyle
2021-10-20 13:57:24 +02:00
- 'powershell'
- 'WindowStyle'
- 'Hidden'
condition: selection
falsepositives:
- Unknown
Update Ref+Selection
2022-07-11 14:11:53 +01:00
level: medium
Reference in New Issue Copy Permalink