security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/process_creation/win_powershell_frombase64string.yml
T

25 lines
624 B
YAML
Raw Normal View History

rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
title: FromBase64String Command Line
id: e32d4572-9826-4738-b651-95fa63747e8a
Change status for old rules
2021-11-27 11:33:14 +01:00
status: test
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
description: Detects suspicious FromBase64String expressions in command line arguments
author: Florian Roth
Change status for old rules
2021-11-27 11:33:14 +01:00
references:
- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
date: 2020/01/29
Change status for old rules
2021-11-27 11:33:14 +01:00
modified: 2021/11/27
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
logsource:
Change status for old rules
2021-11-27 11:33:14 +01:00
category: process_creation
product: windows
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
detection:
Change status for old rules
2021-11-27 11:33:14 +01:00
selection:
CommandLine|contains: '::FromBase64String('
condition: selection
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
falsepositives:
Change status for old rules
2021-11-27 11:33:14 +01:00
- Administrative script libraries
rule: FromBase64String command line
2020-01-29 16:05:12 +01:00
level: high
Change status for old rules
2021-11-27 11:33:14 +01:00
tags:
- attack.t1027
- attack.defense_evasion
- attack.t1140
- attack.t1059.001
Reference in New Issue Copy Permalink