From 9c673bbb15759964006409d40dcc6879631f3157 Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Sat, 18 Feb 2023 05:51:40 +0900
Subject: [PATCH] added other potential IEX strings

---
 .../proc_creation_win_powershell_base64_iex.yml           | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml
index 4759efa5ad1..502560e2a00 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects usage of a base64 encoded "IEX" string in a process command line
 author: Florian Roth (Nextron Systems)
 date: 2019/08/23
-modified: 2023/01/30
+modified: 2023/02/18
 tags:
     - attack.execution
     - attack.t1059.001
@@ -18,6 +18,12 @@ detection:
             - 'iex (['
             - 'iex (New'
             - 'IEX (New'
+            - 'IEX(['
+            - 'iex(['
+            - 'iex(New'
+            - 'IEX(New'
+            - "IEX(('"
+            - "iex(('"
         # UTF16 LE
         - CommandLine|contains:
             - 'SQBFAFgAIAAoAFsA'