-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdetection-rule-template.yml
More file actions
42 lines (42 loc) · 1.12 KB
/
detection-rule-template.yml
File metadata and controls
42 lines (42 loc) · 1.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
title: Suspicious PowerShell Encoded Command Execution
id: SENT-EXEC-0001
status: stable
description: Detects PowerShell execution with encoded commands that may indicate obfuscation or malicious script execution.
author: Your Name
date: 2026-03-06
modified: 2026-03-06
logsource:
product: windows
service: powershell
platform: microsoft_sentinel
query_language: kql
query: |
DeviceProcessEvents
| where FileName in~ ("powershell.exe","pwsh.exe")
| where ProcessCommandLine has_any ("-enc","-encodedcommand")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
severity: medium
risk_score: 50
tactics:
- Execution
techniques:
- T1059.001
kill_chain_phases:
- Execution
data_sources:
- DeviceProcessEvents
falsepositives:
- Administrative automation using encoded commands
triage:
- Review parent and child process relationships
- Decode the command if present
validation:
- Test with Atomic Red Team PowerShell encoded command simulation
lifecycle: testing
owner: Detection Engineering
tags:
- attack.execution
- attack.t1059.001
- ckc.execution
- powershell
- sentinel