kevross33
commented
9 years ago Example MD5: a9cc2ed55a1c8b3dc3f18485f884846a
Closed kevross33 closed 9 years ago
kevross33
commented
9 years ago Example MD5: a9cc2ed55a1c8b3dc3f18485f884846a
kevross33
commented
9 years ago Actually this signature always fires as the false does not seem to occur correctly so while on other files it does not have the actual poweshell execution reasons it has a severity 2 signature fire even when powershell is not used. If powershell is used on malicious samples I have tested it does properly append the reasons so needs fixed.
kevross33
commented
9 years ago OK i have fixed this now so it is working as expected
Check for different parameters. Generally the bad one is bypass of execution policy and to a lesser extent not to load current user profile but i have created it to provide some more information on suspicious or interesting actions (or at least being able to add them) with a severity of 2 and then if a security bypass is attempted (executionpolicy/noprofile) then the severity is changed to 3.