Remove ending spaces from selection in posh_ps_susp_invocation_generic.yml

[BlakeHensleyy]

Rule UUID

ed965133-513f-41d9-a441-e38076a0798f

Example EventLog

ScriptBlockText: powershell.exe -EncodedCommand aGVsbG8gd29ybGQ= -windowstyle hidden -noninteractive

Description

This is more of a false negative because the sigma rule will not detect -noninteractive or -w hidden being used at the end of the command.

To correct this false negative, the detection should be the following with selection_hidden and selection_noninteractive are updated to remove the space at the end of the selections:

detection:
    selection_encoded:
        ScriptBlockText|contains:
            - ' -enc '
            - ' -EncodedCommand '
            - ' -ec '
    selection_hidden:
        ScriptBlockText|contains:
            - ' -w hidden'
            - ' -window hidden'
            - ' -windowstyle hidden'
            - ' -w 1'
    selection_noninteractive:
        ScriptBlockText|contains:
            - ' -noni'
            - ' -noninteractive'
    condition: all of selection*

selection_encoded should not be updated without a space at the end because it requires the option input is not included in the selection.

[github-actions]

Welcome @BlakeHensleyy 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃