SigmaHQ/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml

43 lines
1.2 KiB
YAML

title: Suspicious Encoded PowerShell Command Line
id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
status: experimental
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth, Markus Neis
date: 2018/09/03
modified: 2019/12/16
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* -e JAB*'
- '* -e JAB*'
- '* -e JAB*'
- '* -e JAB*'
- '* -e JAB*'
- '* -e JAB*'
- '* -en JAB*'
- '* -enc JAB*'
- '* -enc* JAB*'
- '* -w hidden -e* JAB*'
- '* BA^J e-'
- '* -e SUVYI*'
- '* -e aWV4I*'
- '* -e SQBFAFgA*'
- '* -e aQBlAHgA*'
- '* -enc SUVYI*'
- '* -enc aWV4I*'
- '* -enc SQBFAFgA*'
- '* -enc aQBlAHgA*'
falsepositive1:
CommandLine: '* -ExecutionPolicy remotesigned *'
condition: selection and not falsepositive1
level: high