Suspicious FromBase64String Usage On Gzip Archive - Ps Script

calendar Aug 12, 2024 · attack.command-and-control attack.t1132.001  ·
Share on: linkedin copy

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

Sigma rule (View on GitHub)

 1title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script
 2id: df69cb1d-b891-4cd9-90c7-d617d90100ce
 3related:
 4    - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
 5      type: similar
 6status: test
 7description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
 8references:
 9    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
10author: frack113
11date: 2022-12-23
12tags:
13    - attack.command-and-control
14    - attack.t1132.001
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains|all:
22            - 'FromBase64String'
23            - 'MemoryStream'
24            - 'H4sI'
25    condition: selection
26falsepositives:
27    - Legitimate administrative script
28level: medium

References

  • Hunting for PowerShell Abuse

    PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…


    Read More

Related rules

to-top