From bbaa9df21757bba2e398b23fa72eae548ab1693e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 16 Dec 2019 19:08:51 +0100
Subject: [PATCH] rule: better JAB rule

---
 rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
index c8e87717b..67115f264 100644
--- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -25,6 +25,7 @@ detection:
             - '* -en JAB*'
             - '* -enc JAB*'
             - '* -enc* JAB*'
+            - '* -w hidden -e* JAB*'
             - '* BA^J e-'
             - '* -e SUVYI*'
             - '* -e aWV4I*'