CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/win_powershell_cmdline_specific_comb_methods.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

68 lines
2.0 KiB
YAML
Raw Blame History

title: Encoded PowerShell Command Line
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
date: 2020/10/11
description: Detects specific combinations of encoding methods in the PowerShell command
lines
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*ToChar*'
SELECTION_11:
CommandLine: '*ToString*'
SELECTION_12:
CommandLine: '*String*'
SELECTION_13:
CommandLine: '*char*'
SELECTION_14:
CommandLine: '*join*'
SELECTION_15:
CommandLine: '*split*'
SELECTION_16:
CommandLine: '*join*'
SELECTION_17:
CommandLine: '*ForEach*'
SELECTION_18:
CommandLine: '*Xor*'
SELECTION_19:
CommandLine: '*cOnvErTTO-SECUreStRIng*'
SELECTION_2:
Image: '*\powershell.exe'
SELECTION_3:
EventID: 1
SELECTION_4:
CommandLine: '*ToInt*'
SELECTION_5:
CommandLine: '*ToDecimal*'
SELECTION_6:
CommandLine: '*ToByte*'
SELECTION_7:
CommandLine: '*ToUint*'
SELECTION_8:
CommandLine: '*ToSingle*'
SELECTION_9:
CommandLine: '*ToSByte*'
condition: (SELECTION_1 and SELECTION_2 and ((((SELECTION_3 and (SELECTION_4 or
SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and
(SELECTION_10 or SELECTION_11 or SELECTION_12)) or (SELECTION_13 and SELECTION_14))
or (SELECTION_15 and SELECTION_16)) or (SELECTION_17 and SELECTION_18) or
(SELECTION_19)))
falsepositives:
- Unlikely
id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
level: medium
logsource:
category: process_creation
product: windows
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: win_powershell_cmdline_specific_comb_methods.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
Reference in New Issue View Git Blame Copy Permalink