You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which will not match events which invoke Encoded command in the following ways:
-EncodedCommand
-E
-En
etc.
I'd like to change the regex to be similar to the regex fround in the link which was provided (https://regexr.com/662ov) with a small change. Currently the regex looks like this: [\-|\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\s+[A-Za-z0-9+/=]{5,}
I would like to include speech marks around the second part of the regex so it looks like this (added [\"]?): [\-|\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\s+[\"]?[A-Za-z0-9+/=]{5,}[\"]?
This is because you can perform a command like this: ps.exe -EncodedCommand "$encodedData"
And with the current regex, this will be missed by the alert.
The text was updated successfully, but these errors were encountered:
I've noticed that the alert Malicious PowerShell Process - Encoded Command has some regex within the SPL which will currently not match -EncodedCommand events.
The regex string in the search is:
Which will not match events which invoke Encoded command in the following ways:
I'd like to change the regex to be similar to the regex fround in the link which was provided (https://regexr.com/662ov) with a small change. Currently the regex looks like this:
[\-|\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\s+[A-Za-z0-9+/=]{5,}
I would like to include speech marks around the second part of the regex so it looks like this (added [\"]?):
[\-|\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\s+[\"]?[A-Za-z0-9+/=]{5,}[\"]?
This is because you can perform a command like this:
ps.exe -EncodedCommand "$encodedData"
And with the current regex, this will be missed by the alert.
The text was updated successfully, but these errors were encountered: