PowerShell ShellCode
Detects Base64 encoded Shellcode
Sigma rule (View on GitHub)
1title: PowerShell ShellCode
2id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
3status: test
4description: Detects Base64 encoded Shellcode
5references:
6 - https://twitter.com/cyb3rops/status/1063072865992523776
7author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)
8date: 2018/11/17
9modified: 2024/01/25
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - attack.t1055
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains:
23 - 'OiCAAAAYInlM'
24 - 'OiJAAAAYInlM'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Rare Remote Thread Creation By Uncommon Source Image
- Remote Thread Creation By Uncommon Source Image
- Remote Thread Creation Via PowerShell In Uncommon Target
- Invoke-Obfuscation CLIP+ Launcher - System
- PUA - AdvancedRun Execution