security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
bcce3a85aa43a936412fd32ffdfd41ea71ce1e02
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml
T

26 lines
877 B
YAML
Raw Normal View History

Apply suggestions from code review
2022-12-23 12:34:56 +01:00
title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script
Issue 575 page 43
2022-12-23 11:10:17 +01:00
id: df69cb1d-b891-4cd9-90c7-d617d90100ce
related:
- id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
type: similar
status: experimental
Apply suggestions from code review
2022-12-23 12:34:56 +01:00
description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
Issue 575 page 43
2022-12-23 11:10:17 +01:00
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022/12/23
logsource:
product: windows
category: ps_script
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
definition: 'Requirements: Script Block Logging must be enabled'
Issue 575 page 43
2022-12-23 11:10:17 +01:00
detection:
selection:
ScriptBlockText|contains|all:
- 'FromBase64String'
Apply suggestions from code review
2022-12-23 12:34:56 +01:00
- 'MemoryStream'
Issue 575 page 43
2022-12-23 11:10:17 +01:00
- 'H4sI'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Reference in New Issue Copy Permalink