security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_encoded_iex.yml
T
phantinuss b23eee6ebf fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00

42 lines
963 B
YAML
Raw Blame History

title: Encoded IEX
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects a base64 encoded IEX command string in a process command line
author: Florian Roth
date: 2019/08/23
modified: 2022/03/07
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'IEX (['
- 'iex (['
- 'iex (New'
- 'IEX (New'
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
- 'kARQBYACAAKABbA'
- 'JAEUAWAAgACgAWw'
- 'aQBlAHgAIAAoAFsA'
- 'kAZQB4ACAAKABbA'
- 'pAGUAeAAgACgAWw'
- 'aQBlAHgAIAAoAE4AZQB3A'
- 'kAZQB4ACAAKABOAGUAdw'
- 'pAGUAeAAgACgATgBlAHcA'
- 'SQBFAFgAIAAoAE4AZQB3A'
- 'kARQBYACAAKABOAGUAdw'
- 'JAEUAWAAgACgATgBlAHcA'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: critical
tags:
- attack.execution
- attack.t1059.001
Reference in New Issue View Git Blame Copy Permalink