security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2bd24966c2fa251b304bfcfd9273cc4a973aaa01
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml
T
Tessa Georgen 60b8e9b70f Merge PR #4392 from @tjgeorgen - Update MITRE Tags 
- update: update MITRE tags for multiple rules

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2023-08-28 16:53:27 +02:00

29 lines
939 B
YAML
Raw Blame History

title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script
id: df69cb1d-b891-4cd9-90c7-d617d90100ce
related:
- id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
type: similar
status: experimental
description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022/12/23
tags:
- attack.command_and_control
- attack.t1132.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'FromBase64String'
- 'MemoryStream'
- 'H4sI'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Reference in New Issue View Git Blame Copy Permalink