SigmaHQ/rules/windows/process_creation/win_powershell_frombase64string.yml

25 lines
661 B
YAML
Raw Normal View History

2020-01-29 15:05:12 +00:00
title: FromBase64String Command Line
id: e32d4572-9826-4738-b651-95fa63747e8a
status: experimental
description: Detects suspicious FromBase64String expressions in command line arguments
references:
- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth
date: 2020/01/29
modified: 2020/09/06
2020-01-29 15:05:12 +00:00
tags:
- attack.t1027
- attack.defense_evasion
- attack.t1140
- attack.t1059.001
2020-01-29 15:05:12 +00:00
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '::FromBase64String('
condition: selection
falsepositives:
- Administrative script libraries
level: high