Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
29 lines
931 B
YAML
29 lines
931 B
YAML
title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script
|
|
id: df69cb1d-b891-4cd9-90c7-d617d90100ce
|
|
related:
|
|
- id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
|
|
type: similar
|
|
status: test
|
|
description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
|
|
references:
|
|
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
|
|
author: frack113
|
|
date: 2022-12-23
|
|
tags:
|
|
- attack.command-and-control
|
|
- attack.t1132.001
|
|
logsource:
|
|
product: windows
|
|
category: ps_script
|
|
definition: 'Requirements: Script Block Logging must be enabled'
|
|
detection:
|
|
selection:
|
|
ScriptBlockText|contains|all:
|
|
- 'FromBase64String'
|
|
- 'MemoryStream'
|
|
- 'H4sI'
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate administrative script
|
|
level: medium
|