PowerShell ShellCode

 1title: PowerShell ShellCode
 2id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
 3status: test
 4description: Detects Base64 encoded Shellcode
 5references:
 6    - https://twitter.com/cyb3rops/status/1063072865992523776
 7author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)
 8date: 2018/11/17
 9modified: 2024/01/25
10tags:
11    - attack.defense_evasion
12    - attack.privilege_escalation
13    - attack.t1055
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains:
23            - 'OiCAAAAYInlM'
24            - 'OiJAAAAYInlM'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Rare Remote Thread Creation By Uncommon Source Image
• Remote Thread Creation By Uncommon Source Image
• Remote Thread Creation Via PowerShell In Uncommon Target
• Invoke-Obfuscation CLIP+ Launcher - System
• PUA - AdvancedRun Execution