Net WebClient Casing Anomalies
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
Sigma rule (View on GitHub)
1title: Net WebClient Casing Anomalies
2id: c86133ad-4725-4bd0-8170-210788e0a7ba
3status: test
4description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
5references:
6 - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
7author: Florian Roth (Nextron Systems)
8date: 2022-05-24
9modified: 2023-01-05
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\powershell.exe'
20 - '\pwsh.exe'
21 - OriginalFileName:
22 - 'PowerShell.EXE'
23 - 'pwsh.dll'
24 selection_encoded:
25 CommandLine|contains:
26 - 'TgBlAFQALgB3AEUAQg'
27 - '4AZQBUAC4AdwBFAEIA'
28 - 'OAGUAVAAuAHcARQBCA'
29 - 'bgBFAHQALgB3AGUAYg'
30 - '4ARQB0AC4AdwBlAGIA'
31 - 'uAEUAdAAuAHcAZQBiA'
32 - 'TgBFAHQALgB3AGUAYg'
33 - 'OAEUAdAAuAHcAZQBiA'
34 - 'bgBlAFQALgB3AGUAYg'
35 - '4AZQBUAC4AdwBlAGIA'
36 - 'uAGUAVAAuAHcAZQBiA'
37 - 'TgBlAFQALgB3AGUAYg'
38 - 'OAGUAVAAuAHcAZQBiA'
39 - 'bgBFAFQALgB3AGUAYg'
40 - '4ARQBUAC4AdwBlAGIA'
41 - 'uAEUAVAAuAHcAZQBiA'
42 - 'bgBlAHQALgBXAGUAYg'
43 - '4AZQB0AC4AVwBlAGIA'
44 - 'uAGUAdAAuAFcAZQBiA'
45 - 'bgBFAHQALgBXAGUAYg'
46 - '4ARQB0AC4AVwBlAGIA'
47 - 'uAEUAdAAuAFcAZQBiA'
48 - 'TgBFAHQALgBXAGUAYg'
49 - 'OAEUAdAAuAFcAZQBiA'
50 - 'bgBlAFQALgBXAGUAYg'
51 - '4AZQBUAC4AVwBlAGIA'
52 - 'uAGUAVAAuAFcAZQBiA'
53 - 'TgBlAFQALgBXAGUAYg'
54 - 'OAGUAVAAuAFcAZQBiA'
55 - 'bgBFAFQALgBXAGUAYg'
56 - '4ARQBUAC4AVwBlAGIA'
57 - 'uAEUAVAAuAFcAZQBiA'
58 - 'bgBlAHQALgB3AEUAYg'
59 - '4AZQB0AC4AdwBFAGIA'
60 - 'uAGUAdAAuAHcARQBiA'
61 - 'TgBlAHQALgB3AEUAYg'
62 - 'OAGUAdAAuAHcARQBiA'
63 - 'bgBFAHQALgB3AEUAYg'
64 - '4ARQB0AC4AdwBFAGIA'
65 - 'uAEUAdAAuAHcARQBiA'
66 - 'TgBFAHQALgB3AEUAYg'
67 - 'OAEUAdAAuAHcARQBiA'
68 - 'bgBlAFQALgB3AEUAYg'
69 - '4AZQBUAC4AdwBFAGIA'
70 - 'uAGUAVAAuAHcARQBiA'
71 - 'TgBlAFQALgB3AEUAYg'
72 - 'OAGUAVAAuAHcARQBiA'
73 - 'bgBFAFQALgB3AEUAYg'
74 - '4ARQBUAC4AdwBFAGIA'
75 - 'uAEUAVAAuAHcARQBiA'
76 - 'TgBFAFQALgB3AEUAYg'
77 - 'OAEUAVAAuAHcARQBiA'
78 - 'bgBlAHQALgBXAEUAYg'
79 - '4AZQB0AC4AVwBFAGIA'
80 - 'uAGUAdAAuAFcARQBiA'
81 - 'TgBlAHQALgBXAEUAYg'
82 - 'OAGUAdAAuAFcARQBiA'
83 - 'bgBFAHQALgBXAEUAYg'
84 - '4ARQB0AC4AVwBFAGIA'
85 - 'uAEUAdAAuAFcARQBiA'
86 - 'TgBFAHQALgBXAEUAYg'
87 - 'OAEUAdAAuAFcARQBiA'
88 - 'bgBlAFQALgBXAEUAYg'
89 - '4AZQBUAC4AVwBFAGIA'
90 - 'uAGUAVAAuAFcARQBiA'
91 - 'TgBlAFQALgBXAEUAYg'
92 - 'OAGUAVAAuAFcARQBiA'
93 - 'bgBFAFQALgBXAEUAYg'
94 - '4ARQBUAC4AVwBFAGIA'
95 - 'uAEUAVAAuAFcARQBiA'
96 - 'TgBFAFQALgBXAEUAYg'
97 - 'OAEUAVAAuAFcARQBiA'
98 - 'bgBlAHQALgB3AGUAQg'
99 - '4AZQB0AC4AdwBlAEIA'
100 - 'uAGUAdAAuAHcAZQBCA'
101 - 'TgBlAHQALgB3AGUAQg'
102 - 'OAGUAdAAuAHcAZQBCA'
103 - 'bgBFAHQALgB3AGUAQg'
104 - '4ARQB0AC4AdwBlAEIA'
105 - 'uAEUAdAAuAHcAZQBCA'
106 - 'TgBFAHQALgB3AGUAQg'
107 - 'OAEUAdAAuAHcAZQBCA'
108 - 'bgBlAFQALgB3AGUAQg'
109 - '4AZQBUAC4AdwBlAEIA'
110 - 'uAGUAVAAuAHcAZQBCA'
111 - 'TgBlAFQALgB3AGUAQg'
112 - 'OAGUAVAAuAHcAZQBCA'
113 - 'bgBFAFQALgB3AGUAQg'
114 - '4ARQBUAC4AdwBlAEIA'
115 - 'uAEUAVAAuAHcAZQBCA'
116 - 'TgBFAFQALgB3AGUAQg'
117 - 'OAEUAVAAuAHcAZQBCA'
118 - 'bgBlAHQALgBXAGUAQg'
119 - '4AZQB0AC4AVwBlAEIA'
120 - 'uAGUAdAAuAFcAZQBCA'
121 - 'TgBlAHQALgBXAGUAQg'
122 - 'OAGUAdAAuAFcAZQBCA'
123 - 'bgBFAHQALgBXAGUAQg'
124 - '4ARQB0AC4AVwBlAEIA'
125 - 'uAEUAdAAuAFcAZQBCA'
126 - 'TgBFAHQALgBXAGUAQg'
127 - 'OAEUAdAAuAFcAZQBCA'
128 - 'bgBlAFQALgBXAGUAQg'
129 - '4AZQBUAC4AVwBlAEIA'
130 - 'uAGUAVAAuAFcAZQBCA'
131 - 'TgBlAFQALgBXAGUAQg'
132 - 'OAGUAVAAuAFcAZQBCA'
133 - 'bgBFAFQALgBXAGUAQg'
134 - '4ARQBUAC4AVwBlAEIA'
135 - 'uAEUAVAAuAFcAZQBCA'
136 - 'TgBFAFQALgBXAGUAQg'
137 - 'OAEUAVAAuAFcAZQBCA'
138 - 'bgBlAHQALgB3AEUAQg'
139 - '4AZQB0AC4AdwBFAEIA'
140 - 'uAGUAdAAuAHcARQBCA'
141 - 'TgBlAHQALgB3AEUAQg'
142 - 'OAGUAdAAuAHcARQBCA'
143 - 'bgBFAHQALgB3AEUAQg'
144 - '4ARQB0AC4AdwBFAEIA'
145 - 'uAEUAdAAuAHcARQBCA'
146 - 'TgBFAHQALgB3AEUAQg'
147 - 'OAEUAdAAuAHcARQBCA'
148 - 'bgBlAFQALgB3AEUAQg'
149 - 'uAGUAVAAuAHcARQBCA'
150 - 'bgBFAFQALgB3AEUAQg'
151 - '4ARQBUAC4AdwBFAEIA'
152 - 'uAEUAVAAuAHcARQBCA'
153 - 'TgBFAFQALgB3AEUAQg'
154 - 'OAEUAVAAuAHcARQBCA'
155 - 'TgBlAHQALgBXAEUAQg'
156 - '4AZQB0AC4AVwBFAEIA'
157 - 'OAGUAdAAuAFcARQBCA'
158 - 'bgBFAHQALgBXAEUAQg'
159 - '4ARQB0AC4AVwBFAEIA'
160 - 'uAEUAdAAuAFcARQBCA'
161 - 'TgBFAHQALgBXAEUAQg'
162 - 'OAEUAdAAuAFcARQBCA'
163 - 'bgBlAFQALgBXAEUAQg'
164 - '4AZQBUAC4AVwBFAEIA'
165 - 'uAGUAVAAuAFcARQBCA'
166 - 'TgBlAFQALgBXAEUAQg'
167 - 'OAGUAVAAuAFcARQBCA'
168 - 'bgBFAFQALgBXAEUAQg'
169 - '4ARQBUAC4AVwBFAEIA'
170 - 'uAEUAVAAuAFcARQBCA'
171 condition: all of selection_*
172falsepositives:
173 - Unknown
174level: high
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell