valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d6957f1c2e
SigmaHQ/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_combo.yml
Florian Roth 7b815ef3e5 Sysmon PowerShell - Suspicious Param Combination
2017-03-05 23:51:39 +01:00

19 lines
465 B
YAML
Raw Blame History

title: Suspicious PowerShell Parameter Combination
status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth
logsource:
product: sysmon
detection:
keywords:
- 'powershell'
- ' -nop '
- ' -w hidden '
- ' -exec bypass '
- ' -enc '
condition: all of keywords
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
level: high
Reference in New Issue View Git Blame Copy Permalink