Potential Data Exfiltration Via Audio File

Dec 1, 2023 · attack.exfiltration ·

Detects potential exfiltration attempt via audio file using PowerShell

Sigma rule (View on GitHub)

 1title: Potential Data Exfiltration Via Audio File
 2id: e4f93c99-396f-47c8-bb0f-201b1fa69034
 3status: test
 4description: Detects potential exfiltration attempt via audio file using PowerShell
 5references:
 6    - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/01/16
 9tags:
10    - attack.exfiltration
11logsource:
12    product: windows
13    category: ps_script
14    definition: 'Requirements: Script Block Logging must be enabled'
15detection:
16    selection_main:
17        ScriptBlockText|contains|all:
18            - '[System.Math]::'
19            - '[IO.FileMode]::'
20            - 'BinaryWriter'
21    selection_header_wav:
22        ScriptBlockText|contains|all:
23            # Byte chunks from the WAV header used in the example POC
24            # You can extend this for different audio formats by adding different selections
25            - '0x52'
26            - '0x49'
27            - '0x46'
28            - '0x57'
29            - '0x41'
30            - '0x56'
31            - '0x45'
32            - '0xAC'
33    condition: selection_main and 1 of selection_header_*
34falsepositives:
35    - Unknown
36level: medium

References

PSBits/NoDLP/bin2wav.ps1 at e97cbbb173b31cbc4d37244d3412de0a114dacfb · gtworek/PSBits

Simple (relatively) things allowing you to dig a bit deeper than usual. - gtworek/PSBits

Read More

Potential Data Exfiltration Via Audio File

Sigma rule (View on GitHub)

References

PSBits/NoDLP/bin2wav.ps1 at e97cbbb173b31cbc4d37244d3412de0a114dacfb · gtworek/PSBits

Related rules