From 75637324e0f94ccfcc9eb8dd50c0f8168be492b0 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 23 Oct 2020 23:44:48 +0200
Subject: [PATCH] feat: cover newest emotet campaigns

---
 rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
index a2a4ad534..a384047e8 100644
--- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -40,6 +40,7 @@ detection:
             - '* -e* IAB*'
             - '* -e* UwB*'
             - '* -e* cwB*'
+            - '*.exe -ENCOD *'
     falsepositive1:
         CommandLine: '* -ExecutionPolicy remotesigned *'
     condition: selection and not falsepositive1