Roberto Rodriguez
8c577a329f
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe. SIGMA HELK standardization config updated to match latest HELK Common Information Model
63 lines
1.7 KiB
YAML
63 lines
1.7 KiB
YAML
title: Suspicious PowerShell Parameter Substring
|
|
status: experimental
|
|
description: Detects suspicious PowerShell invocation with a parameter substring
|
|
references:
|
|
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1086
|
|
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
Image:
|
|
- '*\Powershell.exe'
|
|
EventID: 1
|
|
CommandLine:
|
|
- ' -windowstyle h '
|
|
- ' -windowstyl h'
|
|
- ' -windowsty h'
|
|
- ' -windowst h'
|
|
- ' -windows h'
|
|
- ' -windo h'
|
|
- ' -wind h'
|
|
- ' -win h'
|
|
- ' -wi h'
|
|
- ' -win h '
|
|
- ' -win hi '
|
|
- ' -win hid '
|
|
- ' -win hidd '
|
|
- ' -win hidde '
|
|
- ' -NoPr '
|
|
- ' -NoPro '
|
|
- ' -NoProf '
|
|
- ' -NoProfi '
|
|
- ' -NoProfil '
|
|
- ' -nonin '
|
|
- ' -nonint '
|
|
- ' -noninte '
|
|
- ' -noninter '
|
|
- ' -nonintera '
|
|
- ' -noninterac '
|
|
- ' -noninteract '
|
|
- ' -noninteracti '
|
|
- ' -noninteractiv '
|
|
- ' -ec '
|
|
- ' -encodedComman '
|
|
- ' -encodedComma '
|
|
- ' -encodedComm '
|
|
- ' -encodedCom '
|
|
- ' -encodedCo '
|
|
- ' -encodedC '
|
|
- ' -encoded '
|
|
- ' -encode '
|
|
- ' -encod '
|
|
- ' -enco '
|
|
- ' -en '
|
|
condition: selection
|
|
falsepositives:
|
|
- Penetration tests
|
|
level: high
|