SigmaHQ/rules/windows/process_creation/win_powershell_xor_commandline.yml
2019-11-12 23:12:27 +01:00

21 lines
544 B
YAML

title: Suspicious XOR Encoded PowerShell Command Line
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
status: experimental
author: Sami Ruohonen
date: 2018/09/05
tags:
- attack.execution
- attack.t1086
detection:
selection:
CommandLine:
- '* -bxor*'
condition: selection
falsepositives:
- unknown
level: medium
logsource:
category: process_creation
product: windows