Base64 MZ Header In CommandLine

 1title: Base64 MZ Header In CommandLine
 2id: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
 3status: test
 4description: Detects encoded base64 MZ header in the commandline
 5references:
 6    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-07-12
 9tags:
10    - attack.execution
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection:
16        CommandLine|contains:
17            - 'TVqQAAMAAAAEAAAA' # MZ..........
18            - 'TVpQAAIAAAAEAA8A'
19            - 'TVqAAAEAAAAEABAA'
20            - 'TVoAAAAAAAAAAAAA'
21            - 'TVpTAQEAAAAEAAAA'
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

• SELECT XMRig FROM SQLServer

  

  In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner on a vulnerable server af…

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AMSI Bypass Pattern Assembly GetType
• APT29 2018 Phishing Campaign CommandLine Indicators
• AWS EC2 Startup Shell Script Change