Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_powershell_webclient_casing

3description: |

4 Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.OriginalFileName in ['PowerShell.EXE', 'pwsh.dll']) && (evt.Parsed.CommandLine contains 'TgBlAFQALgB3AEUAQg' || evt.Parsed.CommandLine contains '4AZQBUAC4AdwBFAEIA' || evt.Parsed.CommandLine contains 'OAGUAVAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'bgBFAHQALgB3AGUAYg' || evt.Parsed.CommandLine contains '4ARQB0AC4AdwBlAGIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAHcAZQBiA' || evt.Parsed.CommandLine contains 'TgBFAHQALgB3AGUAYg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAHcAZQBiA' || evt.Parsed.CommandLine contains 'bgBlAFQALgB3AGUAYg' || evt.Parsed.CommandLine contains '4AZQBUAC4AdwBlAGIA' || evt.Parsed.CommandLine contains 'uAGUAVAAuAHcAZQBiA' || evt.Parsed.CommandLine contains 'TgBlAFQALgB3AGUAYg' || evt.Parsed.CommandLine contains 'OAGUAVAAuAHcAZQBiA' || evt.Parsed.CommandLine contains 'bgBFAFQALgB3AGUAYg' || evt.Parsed.CommandLine contains '4ARQBUAC4AdwBlAGIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAHcAZQBiA' || evt.Parsed.CommandLine contains 'bgBlAHQALgBXAGUAYg' || evt.Parsed.CommandLine contains '4AZQB0AC4AVwBlAGIA' || evt.Parsed.CommandLine contains 'uAGUAdAAuAFcAZQBiA' || evt.Parsed.CommandLine contains 'bgBFAHQALgBXAGUAYg' || evt.Parsed.CommandLine contains '4ARQB0AC4AVwBlAGIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAFcAZQBiA' || evt.Parsed.CommandLine contains 'TgBFAHQALgBXAGUAYg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAFcAZQBiA' || evt.Parsed.CommandLine contains 'bgBlAFQALgBXAGUAYg' || evt.Parsed.CommandLine contains '4AZQBUAC4AVwBlAGIA' || evt.Parsed.CommandLine contains 'uAGUAVAAuAFcAZQBiA' || evt.Parsed.CommandLine contains 'TgBlAFQALgBXAGUAYg' || evt.Parsed.CommandLine contains 'OAGUAVAAuAFcAZQBiA' || evt.Parsed.CommandLine contains 'bgBFAFQALgBXAGUAYg' || evt.Parsed.CommandLine contains '4ARQBUAC4AVwBlAGIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAFcAZQBiA' || evt.Parsed.CommandLine contains 'bgBlAHQALgB3AEUAYg' || evt.Parsed.CommandLine contains '4AZQB0AC4AdwBFAGIA' || evt.Parsed.CommandLine contains 'uAGUAdAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'TgBlAHQALgB3AEUAYg' || evt.Parsed.CommandLine contains 'OAGUAdAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'bgBFAHQALgB3AEUAYg' || evt.Parsed.CommandLine contains '4ARQB0AC4AdwBFAGIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'TgBFAHQALgB3AEUAYg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'bgBlAFQALgB3AEUAYg' || evt.Parsed.CommandLine contains '4AZQBUAC4AdwBFAGIA' || evt.Parsed.CommandLine contains 'uAGUAVAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'TgBlAFQALgB3AEUAYg' || evt.Parsed.CommandLine contains 'OAGUAVAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'bgBFAFQALgB3AEUAYg' || evt.Parsed.CommandLine contains '4ARQBUAC4AdwBFAGIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'TgBFAFQALgB3AEUAYg' || evt.Parsed.CommandLine contains 'OAEUAVAAuAHcARQBiA' || evt.Parsed.CommandLine contains 'bgBlAHQALgBXAEUAYg' || evt.Parsed.CommandLine contains '4AZQB0AC4AVwBFAGIA' || evt.Parsed.CommandLine contains 'uAGUAdAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'TgBlAHQALgBXAEUAYg' || evt.Parsed.CommandLine contains 'OAGUAdAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'bgBFAHQALgBXAEUAYg' || evt.Parsed.CommandLine contains '4ARQB0AC4AVwBFAGIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'TgBFAHQALgBXAEUAYg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'bgBlAFQALgBXAEUAYg' || evt.Parsed.CommandLine contains '4AZQBUAC4AVwBFAGIA' || evt.Parsed.CommandLine contains 'uAGUAVAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'TgBlAFQALgBXAEUAYg' || evt.Parsed.CommandLine contains 'OAGUAVAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'bgBFAFQALgBXAEUAYg' || evt.Parsed.CommandLine contains '4ARQBUAC4AVwBFAGIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'TgBFAFQALgBXAEUAYg' || evt.Parsed.CommandLine contains 'OAEUAVAAuAFcARQBiA' || evt.Parsed.CommandLine contains 'bgBlAHQALgB3AGUAQg' || evt.Parsed.CommandLine contains '4AZQB0AC4AdwBlAEIA' || evt.Parsed.CommandLine contains 'uAGUAdAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'TgBlAHQALgB3AGUAQg' || evt.Parsed.CommandLine contains 'OAGUAdAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'bgBFAHQALgB3AGUAQg' || evt.Parsed.CommandLine contains '4ARQB0AC4AdwBlAEIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'TgBFAHQALgB3AGUAQg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'bgBlAFQALgB3AGUAQg' || evt.Parsed.CommandLine contains '4AZQBUAC4AdwBlAEIA' || evt.Parsed.CommandLine contains 'uAGUAVAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'TgBlAFQALgB3AGUAQg' || evt.Parsed.CommandLine contains 'OAGUAVAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'bgBFAFQALgB3AGUAQg' || evt.Parsed.CommandLine contains '4ARQBUAC4AdwBlAEIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'TgBFAFQALgB3AGUAQg' || evt.Parsed.CommandLine contains 'OAEUAVAAuAHcAZQBCA' || evt.Parsed.CommandLine contains 'bgBlAHQALgBXAGUAQg' || evt.Parsed.CommandLine contains '4AZQB0AC4AVwBlAEIA' || evt.Parsed.CommandLine contains 'uAGUAdAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'TgBlAHQALgBXAGUAQg' || evt.Parsed.CommandLine contains 'OAGUAdAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'bgBFAHQALgBXAGUAQg' || evt.Parsed.CommandLine contains '4ARQB0AC4AVwBlAEIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'TgBFAHQALgBXAGUAQg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'bgBlAFQALgBXAGUAQg' || evt.Parsed.CommandLine contains '4AZQBUAC4AVwBlAEIA' || evt.Parsed.CommandLine contains 'uAGUAVAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'TgBlAFQALgBXAGUAQg' || evt.Parsed.CommandLine contains 'OAGUAVAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'bgBFAFQALgBXAGUAQg' || evt.Parsed.CommandLine contains '4ARQBUAC4AVwBlAEIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'TgBFAFQALgBXAGUAQg' || evt.Parsed.CommandLine contains 'OAEUAVAAuAFcAZQBCA' || evt.Parsed.CommandLine contains 'bgBlAHQALgB3AEUAQg' || evt.Parsed.CommandLine contains '4AZQB0AC4AdwBFAEIA' || evt.Parsed.CommandLine contains 'uAGUAdAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'TgBlAHQALgB3AEUAQg' || evt.Parsed.CommandLine contains 'OAGUAdAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'bgBFAHQALgB3AEUAQg' || evt.Parsed.CommandLine contains '4ARQB0AC4AdwBFAEIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'TgBFAHQALgB3AEUAQg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'bgBlAFQALgB3AEUAQg' || evt.Parsed.CommandLine contains 'uAGUAVAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'bgBFAFQALgB3AEUAQg' || evt.Parsed.CommandLine contains '4ARQBUAC4AdwBFAEIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'TgBFAFQALgB3AEUAQg' || evt.Parsed.CommandLine contains 'OAEUAVAAuAHcARQBCA' || evt.Parsed.CommandLine contains 'TgBlAHQALgBXAEUAQg' || evt.Parsed.CommandLine contains '4AZQB0AC4AVwBFAEIA' || evt.Parsed.CommandLine contains 'OAGUAdAAuAFcARQBCA' || evt.Parsed.CommandLine contains 'bgBFAHQALgBXAEUAQg' || evt.Parsed.CommandLine contains '4ARQB0AC4AVwBFAEIA' || evt.Parsed.CommandLine contains 'uAEUAdAAuAFcARQBCA' || evt.Parsed.CommandLine contains 'TgBFAHQALgBXAEUAQg' || evt.Parsed.CommandLine contains 'OAEUAdAAuAFcARQBCA' || evt.Parsed.CommandLine contains 'bgBlAFQALgBXAEUAQg' || evt.Parsed.CommandLine contains '4AZQBUAC4AVwBFAEIA' || evt.Parsed.CommandLine contains 'uAGUAVAAuAFcARQBCA' || evt.Parsed.CommandLine contains 'TgBlAFQALgBXAEUAQg' || evt.Parsed.CommandLine contains 'OAGUAVAAuAFcARQBCA' || evt.Parsed.CommandLine contains 'bgBFAFQALgBXAEUAQg' || evt.Parsed.CommandLine contains '4ARQBUAC4AVwBFAEIA' || evt.Parsed.CommandLine contains 'uAEUAVAAuAFcARQBCA'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1059.001

16 label: "Net WebClient Casing Anomalies"

17 behavior : "windows:audit"

18 remediation: false

20scope:

21 type: ParentProcessId

22 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_powershell_webclient_casing »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1059confidence:1

« proc_creation_win_powershell_webclient_casing »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1059confidence:1