SigmaHQ/rules/windows/powershell/powershell_xor_commandline.yml

title: Suspicious XOR Encoded PowerShell Command Line
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
status: experimental
author: Teymur Kheirkhabarov, Harish Segar (rule)
date: 2020/06/29
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1086  #an old one
logsource:
  product: windows
  service: powershell-classic
  definition: fields have to be extract from event
detection:
  selection:
    EventID: 400
    HostName: "ConsoleHost"
  filter:
    CommandLine|contains:
      - "bxor"
      - "join"
      - "char"
  condition: selection and filter
falsepositives:
  - unknown
level: medium
Added new rule for pwsh_xor_cmd 2020-06-29 20:09:58 +00:00			`title: Suspicious XOR Encoded PowerShell Command Line`
			`id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6`
			`description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.`
			`status: experimental`
			`author: Teymur Kheirkhabarov, Harish Segar (rule)`
			`date: 2020/06/29`
			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 #an old one`
Added new rule for pwsh_xor_cmd 2020-06-29 20:09:58 +00:00			`logsource:`
			`product: windows`
			`service: powershell-classic`
$frack113$ add definition to powershell-classic 2021-08-16 10:56:24 +00:00			`definition: fields have to be extract from event`
Added new rule for pwsh_xor_cmd 2020-06-29 20:09:58 +00:00			`detection:`
			`selection:`
			`EventID: 400`
			`HostName: "ConsoleHost"`
			`filter:`
			`CommandLine\|contains:`
			`- "bxor"`
			`- "join"`
			`- "char"`
			`condition: selection and filter`
			`falsepositives:`
			`- unknown`
			`level: medium`