itsmehary
itsmehary
Started to work on this. Pull requests coming soon ! :D
Sorry for the delay here are few PR going on: Renamed PowerShell: https://github.com/Neo23x0/sigma/pull/869 Suspicious PowerShell parent process: https://github.com/Neo23x0/sigma/pull/867 Xor-ed commands: https://github.com/Neo23x0/sigma/pull/868 Accessing WinAPI in PowerShell. Code injection: Subset of https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
Any update on this value modifiers ?
That variable name is used inside the obfuscated code. You should just replace the value. Seems like the variable is stored inside ActiveDocument.Variables list. So instead of creating this variable...
@Fred-sun any update on your MR? Thanks for your work!
Hello @Fred-sun, thanks for the fix again! Do you know when a new release is planned for the plugin? Still can't use it in production.
Hello any update on this issue?
Hello, anyone has found a solution for this?