Powershell Launched By Winword

calendar May 3, 2021  ยท
Share on: linkedin copy

powershell with enco parameter launched by winword / excel / powerpoint

Sigma rule (View on GitHub)

 1title: Powershell Launched By Winword
 2status: experimental
 3description: powershell with enco parameter launched by winword / excel / powerpoint
 4author: Joe Security
 5date: 2019-10-18
 6id: 200002
 7threatname:
 8behaviorgroup: 1
 9classification: 5
10mitreattack: T1055
11matchonlyifnot: 184
12
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage: '*\Program Files\Microsoft Office*.EXE'
19        CommandLine:
20            -'*\powershell.exe* -enco *'
21    condition: selection
22level: critical
to-top