Skip to content

Commit

Permalink
Merge pull request SigmaHQ#4048 from YamatoSecurity/update-powershell…
Browse files Browse the repository at this point in the history 
…-usage-of-base64-IEX

added other potential IEX strings
  • Loading branch information
@frack113
frack113 authored Feb 18, 2023
2 parents db23238 + 9c673bb commit e327427
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ status: test
description: Detects usage of a base64 encoded "IEX" string in a process command line
author: Florian Roth (Nextron Systems)
date: 2019/08/23
modified: 2023/01/30
modified: 2023/02/18
tags:
- attack.execution
- attack.t1059.001
Expand All @@ -18,6 +18,12 @@ detection:
- 'iex (['
- 'iex (New'
- 'IEX (New'
- 'IEX(['
- 'iex(['
- 'iex(New'
- 'IEX(New'
- "IEX(('"
- "iex(('"
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
Expand Down

0 comments on commit e327427

Please sign in to comment.