Techniques
Sample rules
Suspicious Program Names
- source: sigma
- technicques:
- t1059
Description
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Detection logic
condition: 1 of selection*
selection_commandline:
CommandLine|contains:
- inject.ps1
- Invoke-CVE
- pupy.ps1
- payload.ps1
- beacon.ps1
- PowerView.ps1
- bypass.ps1
- obfuscated.ps1
- obfusc.ps1
- obfus.ps1
- obfs.ps1
- evil.ps1
- MiniDogz.ps1
- _enc.ps1
- \shell.ps1
- \rshell.ps1
- revshell.ps1
- \av.ps1
- \av_test.ps1
- adrecon.ps1
- mimikatz.ps1
- \PowerUp_
- powerup.ps1
- \Temp\a.ps1
- \Temp\p.ps1
- \Temp\1.ps1
- Hound.ps1
- encode.ps1
- powercat.ps1
selection_image:
- Image|contains:
- \CVE-202
- \CVE202
- Image|endswith:
- \poc.exe
- \artifact.exe
- \artifact64.exe
- \artifact_protected.exe
- \artifact32.exe
- \artifact32big.exe
- obfuscated.exe
- obfusc.exe
- \meterpreter