mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-07 01:55:21 +00:00
63 lines
1.7 KiB
YAML
Executable File
63 lines
1.7 KiB
YAML
Executable File
title: Suspicious PowerShell Parameter Substring
|
|
status: experimental
|
|
description: Detects suspicious PowerShell invocation with a parameter substring
|
|
references:
|
|
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1086
|
|
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
Image:
|
|
- '*\Powershell.exe'
|
|
EventID: 1
|
|
CommandLine:
|
|
- ' -windowstyle h '
|
|
- ' -windowstyl h'
|
|
- ' -windowsty h'
|
|
- ' -windowst h'
|
|
- ' -windows h'
|
|
- ' -windo h'
|
|
- ' -wind h'
|
|
- ' -win h'
|
|
- ' -wi h'
|
|
- ' -win h '
|
|
- ' -win hi '
|
|
- ' -win hid '
|
|
- ' -win hidd '
|
|
- ' -win hidde '
|
|
- ' -NoPr '
|
|
- ' -NoPro '
|
|
- ' -NoProf '
|
|
- ' -NoProfi '
|
|
- ' -NoProfil '
|
|
- ' -nonin '
|
|
- ' -nonint '
|
|
- ' -noninte '
|
|
- ' -noninter '
|
|
- ' -nonintera '
|
|
- ' -noninterac '
|
|
- ' -noninteract '
|
|
- ' -noninteracti '
|
|
- ' -noninteractiv '
|
|
- ' -ec '
|
|
- ' -encodedComman '
|
|
- ' -encodedComma '
|
|
- ' -encodedComm '
|
|
- ' -encodedCom '
|
|
- ' -encodedCo '
|
|
- ' -encodedC '
|
|
- ' -encoded '
|
|
- ' -encode '
|
|
- ' -encod '
|
|
- ' -enco '
|
|
- ' -en '
|
|
condition: selection
|
|
falsepositives:
|
|
- Penetration tests
|
|
level: high
|