security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update defense_evasion_amsi_bypass_powershell.toml (#4477)

Browse Source 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
2025-02-27 14:36:15 +00:00
committed by GitHub
parent 0340335cf4
commit 7b15acf9dd
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_amsi_bypass_powershell.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/17"
integration = ["windows"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -131,9 +131,7 @@ event.category:"process" and host.os.type:windows and
"AllocHGlobal((9076" or
"[cHAr](65)+[cHaR]([byTe]0x6d)+[ChaR]([ByTe]0x73)+[CHaR]([BYte]0x69"
) or
powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or
powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") or
powershell.file.script_block_text:("::AllocHGlobal((" and ("System.Management.Automation.$([" or "System.$([cHAr]" or "[cHaR]([byTe]")) or
powershell.file.script_block_text:("::AllocHGlobal((" and ".SetValue(" and "-replace" and ".NoRMALiZe(")
) and
not powershell.file.script_block_text : (