security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
blue-team-tools/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml
T
Florian Roth f728893364 refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00

31 lines
799 B
YAML
Raw Blame History

title: Encoded FromBase64String
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects a base64 encoded FromBase64String keyword in a process command line
author: Florian Roth
date: 2019/08/24
modified: 2022/03/07
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains: '::FromBase64String'
# UTF-16 LE
- CommandLine|contains:
- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1140
- attack.execution
- attack.t1059.001
Reference in New Issue View Git Blame Copy Permalink