security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bef5f03015e47fd2bef8a38e98e5e9a1385cc76f
blue-team-tools/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
T
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00

27 lines
780 B
YAML
Raw Blame History

title: Suspicious Encoded PowerShell Command Line
description: Detects suspicious powershell process starts with base64 encoded commands
status: experimental
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth, Markus Neis
date: 2018/09/03
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* -e JAB*'
- '* -enc JAB*'
- '* -encodedcommand JAB*'
- '* BA^J e-'
falsepositive1:
Image: '*\GRR\\*'
falsepositive2:
CommandLine: '* -ExecutionPolicy remotesigned *'
condition: selection and not 1 of falsepositive*
falsepositives:
- GRR powershell hacks
- PowerSponse Deployments
level: high
Reference in New Issue View Git Blame Copy Permalink