security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a6f66b1207ecbedb2cefa01efb44a56ec3d1913
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml
T
frack113 546e53fb35 Apply suggestions from code review 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2022-12-23 12:34:56 +01:00

26 lines
861 B
YAML
Raw Blame History

title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script
id: df69cb1d-b891-4cd9-90c7-d617d90100ce
related:
- id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
type: similar
status: experimental
description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022/12/23
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- 'FromBase64String'
- 'MemoryStream'
- 'H4sI'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Reference in New Issue View Git Blame Copy Permalink