Cyb3rWard0g · December 8, 2018 09:26
diff --git a/sigma_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml b/sigma_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
 title: Suspicious PowerShell Parameter Substring
 status: experimental
 description: Detects suspicious PowerShell invocation with a parameter substring
 references:
    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
 tags:
    - attack.execution
    - attack.t1086
 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
 logsource:
    product: windows
    service: sysmon
 detection:
    selection:
        Image:
            - '*\Powershell.exe'
        EventID: 1
        CommandLine:
            - ' -windowstyle h '
            - ' -windowstyl h'
            - ' -windowsty h'
            - ' -windowst h'
            - ' -windows h'
            - ' -windo h'
            - ' -wind h'
            - ' -win h'
            - ' -wi h'
            - ' -win h '
            - ' -win hi '
            - ' -win hid '
            - ' -win hidd '
            - ' -win hidde '
            - ' -NoPr '
            - ' -NoPro '
            - ' -NoProf '
            - ' -NoProfi '
            - ' -NoProfil ' 
            - ' -nonin '
            - ' -nonint '
            - ' -noninte '
            - ' -noninter '
            - ' -nonintera '
            - ' -noninterac '
            - ' -noninteract '
            - ' -noninteracti '
            - ' -noninteractiv '
            - ' -ec '
            - ' -encodedComman '
            - ' -encodedComma '
            - ' -encodedComm '
            - ' -encodedCom '
            - ' -encodedCo '
            - ' -encodedC '
            - ' -encoded '
            - ' -encode '
            - ' -encod '
            - ' -enco '
            - ' -en '
    condition: selection
 falsepositives:
    - Penetration tests
 level: high
	title: Suspicious PowerShell Parameter Substring
	status: experimental
	description: Detects suspicious PowerShell invocation with a parameter substring
	references:
	- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
	tags:
	- attack.execution
	- attack.t1086
	author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
	logsource:
	product: windows
	service: sysmon
	detection:
	selection:
	Image:
	- '*\Powershell.exe'
	EventID: 1
	CommandLine:
	- ' -windowstyle h '
	- ' -windowstyl h'
	- ' -windowsty h'
	- ' -windowst h'
	- ' -windows h'
	- ' -windo h'
	- ' -wind h'
	- ' -win h'
	- ' -wi h'
	- ' -win h '
	- ' -win hi '
	- ' -win hid '
	- ' -win hidd '
	- ' -win hidde '
	- ' -NoPr '
	- ' -NoPro '
	- ' -NoProf '
	- ' -NoProfi '
	- ' -NoProfil '
	- ' -nonin '
	- ' -nonint '
	- ' -noninte '
	- ' -noninter '
	- ' -nonintera '
	- ' -noninterac '
	- ' -noninteract '
	- ' -noninteracti '
	- ' -noninteractiv '
	- ' -ec '
	- ' -encodedComman '
	- ' -encodedComma '
	- ' -encodedComm '
	- ' -encodedCom '
	- ' -encodedCo '
	- ' -encodedC '
	- ' -encoded '
	- ' -encode '
	- ' -encod '
	- ' -enco '
	- ' -en '
	condition: selection
	falsepositives:
	- Penetration tests
	level: high