valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4789b15fd5
SigmaHQ/rules/windows/process_creation/win_powershell_xor_commandline.yml

21 lines
544 B
YAML
Raw Normal View History

Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
title: Suspicious XOR Encoded PowerShell Command Line
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
status: experimental
author: Sami Ruohonen
date: 2018/09/05
Added missing tags and some minor improvements
2019-03-05 22:25:49 +00:00
tags:
- attack.execution
- attack.t1086
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
detection:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
selection:
CommandLine:
- '* -bxor*'
condition: selection
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
falsepositives:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
- unknown
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
level: medium
logsource:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
category: process_creation
product: windows
Reference in New Issue Copy Permalink