SigmaHQ/rules/windows/process_creation/win_susp_ps_appdata.yml

26 lines
791 B
YAML
Raw Normal View History

title: PowerShell Script Run in AppData
2019-11-12 22:12:27 +00:00
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: experimental
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
2019-03-06 04:25:12 +00:00
tags:
- attack.execution
2020-06-16 20:46:08 +00:00
- attack.t1059.001
- attack.t1086 # an old one
author: Florian Roth
date: 2019/01/09
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'
condition: selection
falsepositives:
- Administrative scripts
level: medium