Suspicious XOR Encoded PowerShell Command
Detects presence of a potentially xor encoded powershell command
Sigma rule (View on GitHub)
1title: Suspicious XOR Encoded PowerShell Command
2id: bb780e0c-16cf-4383-8383-1e5471db6cf9
3related:
4 - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
5 type: obsoletes
6status: test
7description: Detects presence of a potentially xor encoded powershell command
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
10 - https://redcanary.com/blog/yellow-cockatoo/
11 - https://zero2auto.com/2020/05/19/netwalker-re/
12 - https://mez0.cc/posts/cobaltstrike-powershell-exec/
13author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
14date: 2018/09/05
15modified: 2023/01/30
16tags:
17 - attack.defense_evasion
18 - attack.execution
19 - attack.t1059.001
20 - attack.t1140
21 - attack.t1027
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith:
28 - '\powershell.exe'
29 - '\pwsh.exe'
30 - OriginalFileName:
31 - 'PowerShell.EXE'
32 - 'pwsh.dll'
33 - Description: 'Windows PowerShell'
34 - Product: 'PowerShell Core 6'
35 selection_cli_xor:
36 CommandLine|contains: 'bxor'
37 selection_cli_other:
38 CommandLine|contains:
39 - 'ForEach'
40 - 'for('
41 - 'for '
42 - '-join '
43 - "-join'"
44 - '-join"'
45 - '-join`'
46 - '::Join'
47 - '[char]'
48 condition: all of selection_*
49falsepositives:
50 - Unknown
51level: medium
References
-
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services of the operating system and automate almost anything. But along with administrators, PowerShell also is liked by attackers and malware authors. The reason PowerShell is so attractive for adversaries is quite obvious: it has been included in essentially every Windows operating system by default for a decade, provides access to Windows API, and is rarely constrained, thus allowing adversaries to perform different tasks without risking being blocked. ttackers can use PowerShell to direct the execution of a local script, retrieve and execute remote resources using various network protocols, encode payloads passed via the command line, or load PowerShell into other processes. Because of so prevalence of PowerShell among adversaries for Threat Hunters it is very important to be able to detect malicious uses of PowerShell and defend against it. In the presentation author is going to demostrate an approaches for detection of PowerShell abuses based on different event sources like native Windows logging capabilities as well as usage of additional tools, like Sysmon or EDR solutions. How to collect traces of using PowerShell, how to filter out false positives, and how to find evidence of malicious uses among the remaining after filtering volume of events — all these questions will be answered in the talk for present and future threat hunters.
Read More -
Red Canary Intel detected a cluster of malicious activity executing a .NET RAT across multiple industries. Here’s how you can too.
Read More -
Author: Zero2Automated Course Team (preview from courses.zero2auto.com) Netwalker ransomware has been around since at least 2019* and has recently been in the news from a TrendMicro report detailin…
Read More
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher - Security
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module