Rule Description
Looks for possible obfuscations in command line args (n^e^t u^s^er)
Detect
event: NEW_PROCESS
op: matches
path: event/COMMAND_LINE
re: (?:[a-zA-Z]\^)+[a-zA-Z]
Respond
- action: report
name: Possible obfuscation in CLI args
Rule Description
Looks for possible obfuscations in command line args (n^e^t u^s^er)
Detect
event: NEW_PROCESS
op: matches
path: event/COMMAND_LINE
re: (?:[a-zA-Z]\^)+[a-zA-Z]
Respond
- action: report
name: Possible obfuscation in CLI args