security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
T
frack113 01dc930c17 Change status for old rules
2021-11-27 11:33:14 +01:00

25 lines
625 B
YAML
Raw Blame History

title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
author: Nikita Nazarov, oscd.community
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
date: 2020/10/12
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
Reference in New Issue View Git Blame Copy Permalink