atomic-threat-coverage/detection_rules/sysmon_powershell_suspicious_parameter_variation.yml

63 lines
1.7 KiB
YAML
Raw Normal View History

2019-02-10 22:02:42 +00:00
title: Suspicious PowerShell Parameter Substring
status: experimental
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
logsource:
product: windows
service: sysmon
detection:
selection:
Image:
- '*\Powershell.exe'
EventID: 1
CommandLine:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
condition: selection
falsepositives:
- Penetration tests
level: high