rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml

title: PowerShell ShellCode
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
status: test
description: Detects Base64 encoded Shellcode
references:
    - https://twitter.com/cyb3rops/status/1063072865992523776
author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)
date: 2018/11/17
modified: 2024/01/25
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'OiCAAAAYInlM'
            - 'OiJAAAAYInlM'
    condition: selection
falsepositives:
    - Unknown
level: high
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`title: PowerShell ShellCode`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd`
$frack113$ Promotion rules (#3821 ) 2022-12-27 12:29:10 +01:00			`status: test`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`description: Detects Base64 encoded Shellcode`
			`references:`
			`- https://twitter.com/cyb3rops/status/1063072865992523776`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`date: 2018/11/17`
Merge PR #4693 from @qasimqlf - Update selection to remove overlap 2024-01-26 16:19:13 +05:00			`modified: 2024/01/25`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`tags:`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.defense_evasion`
Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00			`- attack.privilege_escalation`
			`- attack.t1055`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.execution`
			`- attack.t1059.001`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`logsource:`
			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`detection:`
			`selection:`
Fixes 2021-04-03 23:21:13 +02:00			`ScriptBlockText\|contains:`
Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00			`- 'OiCAAAAYInlM'`
			`- 'OiJAAAAYInlM'`
Merge PR #4693 from @qasimqlf - Update selection to remove overlap 2024-01-26 16:19:13 +05:00			`condition: selection`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`falsepositives:`
			`- Unknown`
refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00			`level: high`