rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml

title: Encoded FromBase64String
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects a base64 encoded FromBase64String keyword in a process command line
author: Florian Roth
date: 2019/08/24
modified: 2022/03/07
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - CommandLine|base64offset|contains: '::FromBase64String'
    # UTF-16 LE
    - CommandLine|contains:
      - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
      - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
      - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
  condition: selection
fields:
  - CommandLine
  - ParentCommandLine
falsepositives:
  - Unknown
level: critical
tags:
  - attack.defense_evasion
  - attack.t1140
  - attack.execution
  - attack.t1059.001
rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00			`title: Encoded FromBase64String`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00			`description: Detects a base64 encoded FromBase64String keyword in a process command line`
			`author: Florian Roth`
			`date: 2019/08/24`
fix: adjusted rules that use utf16le, extended others 2022-03-07 18:14:29 +01:00			`modified: 2022/03/07`
rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
fix: adjusted rules that use utf16le, extended others 2022-03-07 18:14:29 +01:00			`- CommandLine\|base64offset\|contains: '::FromBase64String'`
			`# UTF-16 LE`
			`- CommandLine\|contains:`
			`- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'`
			`- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'`
			`- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`condition: selection`
rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- CommandLine`
			`- ParentCommandLine`
rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00			`falsepositives:`
fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00			`- Unknown`
rules: encoded FromBase64String keyword 2019-08-24 12:38:51 +02:00			`level: critical`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1140`
			`- attack.execution`
			`- attack.t1059.001`