Forked from Cyb3rWard0g/sigma_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
Created
December 25, 2018 06:45
-
-
Save 0xa-saline/6a9f6acba1a2608bb03d7cb6c8949c33 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Suspicious PowerShell Parameter Substring | |
status: experimental | |
description: Detects suspicious PowerShell invocation with a parameter substring | |
references: | |
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier | |
tags: | |
- attack.execution | |
- attack.t1086 | |
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) | |
logsource: | |
product: windows | |
service: sysmon | |
detection: | |
selection: | |
Image: | |
- '*\Powershell.exe' | |
EventID: 1 | |
CommandLine: | |
- ' -windowstyle h ' | |
- ' -windowstyl h' | |
- ' -windowsty h' | |
- ' -windowst h' | |
- ' -windows h' | |
- ' -windo h' | |
- ' -wind h' | |
- ' -win h' | |
- ' -wi h' | |
- ' -win h ' | |
- ' -win hi ' | |
- ' -win hid ' | |
- ' -win hidd ' | |
- ' -win hidde ' | |
- ' -NoPr ' | |
- ' -NoPro ' | |
- ' -NoProf ' | |
- ' -NoProfi ' | |
- ' -NoProfil ' | |
- ' -nonin ' | |
- ' -nonint ' | |
- ' -noninte ' | |
- ' -noninter ' | |
- ' -nonintera ' | |
- ' -noninterac ' | |
- ' -noninteract ' | |
- ' -noninteracti ' | |
- ' -noninteractiv ' | |
- ' -ec ' | |
- ' -encodedComman ' | |
- ' -encodedComma ' | |
- ' -encodedComm ' | |
- ' -encodedCom ' | |
- ' -encodedCo ' | |
- ' -encodedC ' | |
- ' -encoded ' | |
- ' -encode ' | |
- ' -encod ' | |
- ' -enco ' | |
- ' -en ' | |
condition: selection | |
falsepositives: | |
- Penetration tests | |
level: high |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment