CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0cfa806baf9e4aaa847b55b5feebee7a83ba592c
hayabusa/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

30 lines
856 B
YAML
Raw Blame History

title: Suspicious PowerShell WindowStyle Option
author: frack113
date: 2021/10/20
description: Adversaries may use hidden windows to conceal malicious activity from
the plain sight of users. In some cases, windows that would typically be displayed
when an application carries out an operation can be hidden
detection:
SELECTION_1:
ScriptBlockText: '*powershell*'
SELECTION_2:
ScriptBlockText: '*WindowStyle*'
SELECTION_3:
ScriptBlockText: '*Hidden*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
level: medium
logsource:
category: ps_script
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.003
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink