Threat Huntlowtest

bXOR Operator Usage In PowerShell Command Line - PowerShell Classic

Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Teymur Kheirkhabarov, Harish SegarCreated Mon Jun 29Updated Wed Dec 11812837bb-b17f-45e9-8bd0-0ec35d2e3bd6windows

Hunting Hypothesis

Log Source

WindowsPowerShell Classic

ProductWindows← raw: windows

CategoryPowerShell Classic← raw: ps_classic_start

Detection Logic

detection:
    selection:
        Data|contains|all:
            - 'HostName=ConsoleHost'
            - ' -bxor '
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Other

detection.threat-hunting

Rule Metadata

Rule ID

812837bb-b17f-45e9-8bd0-0ec35d2e3bd6

Status

test

Level

low

Type

Threat Hunt

Created

Mon Jun 29

Modified

Wed Dec 11

Author

Teymur Kheirkhabarov, Harish Segar

Path

rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml

Raw Tags

attack.executionattack.t1059.001detection.threat-hunting

View on GitHub