rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml

title: PowerShell ShellCode
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
status: experimental
description: Detects Base64 encoded Shellcode
references:
    - https://twitter.com/cyb3rops/status/1063072865992523776
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
    - attack.execution
    - attack.t1059.001
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
modified: 2021/10/16
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection:
        ScriptBlockText|contains: 'AAAAYInlM'
    selection2:
        ScriptBlockText|contains:
            - 'OiCAAAAYInlM'
            - 'OiJAAAAYInlM'
    condition: selection and selection2
falsepositives:
    - Unknown
level: high
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`title: PowerShell ShellCode`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`status: experimental`
			`description: Detects Base64 encoded Shellcode`
			`references:`
			`- https://twitter.com/cyb3rops/status/1063072865992523776`
			`tags:`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.defense_evasion`
Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00			`- attack.privilege_escalation`
			`- attack.t1055`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.execution`
			`- attack.t1059.001`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`author: David Ledbetter (shellcode), Florian Roth (rule)`
			`date: 2018/11/17`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`modified: 2021/10/16`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`logsource:`
			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
$frack113$ Update PS rules 2021-08-21 09:33:52 +02:00			`definition: Script block logging must be enabled`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`detection:`
			`selection:`
Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00			`ScriptBlockText\|contains: 'AAAAYInlM'`
			`selection2:`
Fixes 2021-04-03 23:21:13 +02:00			`ScriptBlockText\|contains:`
Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00			`- 'OiCAAAAYInlM'`
			`- 'OiJAAAAYInlM'`
			`condition: selection and selection2`
Rule: Detect base64 encoded PowerShell shellcode 2018-11-17 09:10:09 +01:00			`falsepositives:`
			`- Unknown`
refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00			`level: high`