rules/windows/process_creation/win_susp_powershell_enc_cmd.yml

title: Suspicious Encoded PowerShell Command Line
id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
status: experimental
references:
    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth, Markus Neis
date: 2018/09/03
modified: 2019/12/16
tags:
  - attack.execution
  - attack.t1086
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '* -e JAB*'
            - '* -e  JAB*'
            - '* -e   JAB*'
            - '* -e    JAB*'
            - '* -e     JAB*'
            - '* -e      JAB*'
            - '* -en JAB*'
            - '* -enc JAB*'
            - '* -enc* JAB*'
            - '* -w hidden -e* JAB*'
            - '* BA^J e-'
            - '* -e SUVYI*'
            - '* -e aWV4I*'
            - '* -e SQBFAFgA*'
            - '* -e aQBlAHgA*'
            - '* -enc SUVYI*'
            - '* -enc aWV4I*'
            - '* -enc SQBFAFgA*'
            - '* -enc aQBlAHgA*'
    falsepositive1:
        CommandLine: '* -ExecutionPolicy remotesigned *'
    condition: selection and not falsepositive1
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Suspicious Encoded PowerShell Command Line`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: ca2092a1-c273-4878-9b4b-0d60115bf5ea`
style: minor changes 2019-12-20 14:59:26 +01:00			`description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
			`references:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e`
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`author: Florian Roth, Markus Neis`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`date: 2018/09/03`
rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:50 +01:00			`modified: 2019/12/16`
Fix 4 rules 2019-03-06 01:56:05 +03:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
			`CommandLine:`
			`- '* -e JAB*'`
Rule: reworked win_susp_powershell_enc_cmd 2019-07-30 14:36:30 +02:00			`- '* -e JAB*'`
			`- '* -e JAB*'`
			`- '* -e JAB*'`
			`- '* -e JAB*'`
			`- '* -e JAB*'`
rule: suspicious PS rule modified to cover newest malware campaigns 2019-12-16 19:02:50 +01:00			`- '* -en JAB*'`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- '* -enc JAB*'`
rule: improved JAB expression 2019-12-16 19:04:05 +01:00			`- '* -enc* JAB*'`
rule: better JAB rule 2019-12-16 19:08:51 +01:00			`- '* -w hidden -e* JAB*'`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- '* BA^J e-'`
Rule: Extended PowerShell Susp Cmdline Enc Commands 2019-04-20 09:38:07 +02:00			`- '* -e SUVYI*'`
			`- '* -e aWV4I*'`
			`- '* -e SQBFAFgA*'`
			`- '* -e aQBlAHgA*'`
			`- '* -enc SUVYI*'`
			`- '* -enc aWV4I*'`
			`- '* -enc SQBFAFgA*'`
			`- '* -enc aQBlAHgA*'`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`falsepositive1:`
			`CommandLine: '* -ExecutionPolicy remotesigned *'`
Remove loose wildcard filter in powershell encoded cmd rule 2019-04-11 12:53:12 +02:00			`condition: selection and not falsepositive1`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: high`