moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.

t1059
t1059.001
windows
sigma

Techniques

t1059
t1059.001

Sample rules

Bad Opsec Powershell Code Artifacts

source: sigma
technicques:
- t1059
- t1059.001

Description

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Detection logic

condition: selection_4103
selection_4103:
  Payload|contains:
  - $DoIt
  - harmj0y
  - mattifestation
  - _RastaMouse
  - tifkin_
  - '0xdeadbeef'