windows defender atp

t1027
t1059
t1059.001
windows
sigma

Techniques

t1027
t1059
t1059.001

Sample rules

Potential PowerShell Command Line Obfuscation

source: sigma
technicques:
- t1027
- t1059
- t1059.001

Description

Detects the PowerShell command lines with special characters

Detection logic

condition: all of selection_* and not 1 of filter_optional_*
filter_optional_amazonSSM:
  ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
filter_optional_defender_atp:
  CommandLine|contains:
  - new EventSource("Microsoft.Windows.Sense.Client.Management"
  - public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
selection_re:
- CommandLine|re: \+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+
- CommandLine|re: \{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{
- CommandLine|re: \^.*\^.*\^.*\^.*\^
- CommandLine|re: '`.*`.*`.*`.*`'