PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
Sigma rule (View on GitHub)
1title: PowerShell Base64 Encoded Reflective Assembly Load
2id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
3related:
4 - id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
5 type: similar
6status: test
7description: Detects base64 encoded .NET reflective loading of Assembly
8references:
9 - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
10 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
11author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
12date: 2022/03/01
13modified: 2023/01/30
14tags:
15 - attack.execution
16 - attack.t1059.001
17 - attack.defense_evasion
18 - attack.t1027
19 - attack.t1620
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 CommandLine|contains:
26 # [Reflection.Assembly]::Load(
27 - 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
28 - 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
29 - 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
30 # [reflection.assembly]::("Load")
31 - 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC'
32 - 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp'
33 - 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK'
34 # [Reflection.Assembly]::("Load")
35 - 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ'
36 - 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA'
37 - 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA'
38 # [reflection.assembly]::Load(
39 - 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
40 - 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
41 - 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
42 condition: selection
43fields:
44 - CommandLine
45falsepositives:
46 - Unlikely
47level: high
References
-
A Simple Ransomware Vaccine. Contribute to Neo23x0/Raccine development by creating an account on GitHub.
Read More -
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.
Read More
Related rules
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Invoke-Obfuscation Obfuscated IEX Invocation
- Potential PowerShell Obfuscation Via WCHAR
- Detection of PowerShell Execution via Sqlps.exe
- SQL Client Tools PowerShell Session Detection