SigmaHQ/rules/windows/powershell/powershell_xor_commandline.yml

27 lines
683 B
YAML
Raw Normal View History

2020-06-29 20:09:58 +00:00
title: Suspicious XOR Encoded PowerShell Command Line
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
status: experimental
author: Teymur Kheirkhabarov, Harish Segar (rule)
date: 2020/06/29
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
2020-06-29 20:09:58 +00:00
logsource:
product: windows
service: powershell-classic
detection:
selection:
EventID: 400
HostName: "ConsoleHost"
filter:
CommandLine|contains:
- "bxor"
- "join"
- "char"
condition: selection and filter
falsepositives:
- unknown
level: medium