PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Sigma rule (View on GitHub)
1title: PowerShell Base64 Encoded Invoke Keyword
2id: 6385697e-9f1b-40bd-8817-f4a91f40508e
3related:
4 - id: fd6e2919-3936-40c9-99db-0aa922c356f7
5 type: obsoletes
6status: test
7description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
8references:
9 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
10author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
11date: 2022/05/20
12modified: 2023/04/06
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.defense_evasion
17 - attack.t1027
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - OriginalFileName:
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 selection_cli_enc:
30 CommandLine|contains: ' -e'
31 selection_cli_invoke:
32 CommandLine|contains:
33 # Invoke-
34 # UTF-16LE
35 - 'SQBuAHYAbwBrAGUALQ'
36 - 'kAbgB2AG8AawBlAC0A'
37 - 'JAG4AdgBvAGsAZQAtA'
38 # UTF-8
39 - 'SW52b2tlL'
40 - 'ludm9rZS'
41 - 'JbnZva2Ut'
42 condition: all of selection_*
43falsepositives:
44 - Unknown
45level: high
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.
Read More
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher - Security
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module