security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
89e28d65d2ee34efac05da53128fe2d596550e9a
blue-team-tools/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml
T
frack113 8bb3379b68 Normalization of rule names
2022-02-22 11:16:31 +01:00

25 lines
624 B
YAML
Raw Blame History

title: FromBase64String Command Line
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects suspicious FromBase64String expressions in command line arguments
author: Florian Roth
references:
- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
date: 2020/01/29
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '::FromBase64String('
condition: selection
falsepositives:
- Administrative script libraries
level: high
tags:
- attack.t1027
- attack.defense_evasion
- attack.t1140
- attack.t1059.001
Reference in New Issue View Git Blame Copy Permalink