security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f0c6dbdc84280af95e7b33b3a413ef4c803975ba
blue-team-tools/rules/windows/powershell/powershell_script/powershell_suspicious_windowstyle.yml
T
frack113 a9bc26f37c add powershell_suspicious_windowstyle
2021-10-20 13:57:24 +02:00

24 lines
802 B
YAML
Raw Blame History

title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
tags:
- attack.defense_evasion
- attack.t1564.003
author: frack113
date: 2021/10/20
logsource:
product: windows
category: ps_script
detection:
selection:
ScriptBlockText|contains|all:
- 'powershell'
- 'WindowStyle'
- 'Hidden'
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink