rules/windows/powershell/powershell_xor_commandline.yml

action: global
title: Suspicious XOR Encoded PowerShell Command Line
description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
status: experimental
author: Sami Ruohonen
date: 2018/09/05
detection:
    selection:
        CommandLine:
            - '* -bxor*'
    condition: selection
falsepositives: 
    - unknown
level: medium
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
---
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688
Fixed rule 2018-10-18 16:20:51 +02:00			`action: global`
Update powershell_xor_commandline.yml 2018-12-05 05:51:41 +03:00			`title: Suspicious XOR Encoded PowerShell Command Line`
powershell xor commandline 2018-09-05 09:21:15 +02:00			`description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.`
			`status: experimental`
			`author: Sami Ruohonen`
			`date: 2018/09/05`
			`detection:`
			`selection:`
			`CommandLine:`
			`- '* -bxor*'`
			`condition: selection`
			`falsepositives:`
			`- unknown`
			`level: medium`
			`---`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 1`
			`---`
			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00			`definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'`
powershell xor commandline 2018-09-05 09:21:15 +02:00			`detection:`
			`selection:`
			`EventID: 4688`