title: Suspicious XOR Encoded PowerShell Command Line
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
status: test
description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton
date: 2018/09/05
modified: 2022/01/10
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - Description: 'Windows PowerShell'
    - Product: 'PowerShell Core 6'
  filter:
    CommandLine|contains:
      - 'bxor'
      - '-join '
      - '-join'''
      - '-join"'
      - '-join`'
      - 'char'
  false_positives:
    ParentImage: 
      - C:\Program Files\Amazon\SSM\ssm-document-worker.exe
  condition: selection and filter and not false_positives
falsepositives:
  - unknown
level: medium
tags:
  - attack.defense_evasion
  - attack.t1059.001
  - attack.t1140
  - attack.t1027