valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
35b4806104
SigmaHQ/rules/windows/process_creation/win_powershell_xor_commandline.yml
Thomas Patzke 0592cbb67a Added UUIDs to rules
2019-11-12 23:12:27 +01:00

21 lines
544 B
YAML
Raw Blame History

title: Suspicious XOR Encoded PowerShell Command Line
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
status: experimental
author: Sami Ruohonen
date: 2018/09/05
tags:
- attack.execution
- attack.t1086
detection:
selection:
CommandLine:
- '* -bxor*'
condition: selection
falsepositives:
- unknown
level: medium
logsource:
category: process_creation
product: windows
Reference in New Issue View Git Blame Copy Permalink