title: Suspicious PowerShell Cmdline
id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
description: Detects the PowerShell command lines with reversed strings
status: experimental
references:
    - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
date: 2020/10/11
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'hctac'
            - 'kearb'
            - 'dnammoc'
            - 'ekovn'
            - 'eliFd'
            - 'rahc'
            - 'etirw'
            - 'golon'
            - 'tninon'
            - 'eddih'
            - 'tpircS'
            - 'ssecorp'
            - 'llehsrewop'
            - 'esnopser'
            - 'daolnwod'
            - 'tneilCbeW'
            - 'tneilc'
            - 'ptth'
            - 'elifotevas'
            - '46esab'
            - 'htaPpmeTteG'
            - 'tcejbO'
            - 'maerts'
            - 'hcaerof'
            - 'ekovni'
            - 'retupmoc'
    condition: selection
falsepositives:
    - Unlikely
level: high