Merge pull request #165 from JohnLaTwC/patch-1

Create win_susp_powershell_hidden_b64_cmd.yml
2024-11-07 09:48:58 +00:00 · 2018-09-08 10:23:05 +02:00 · 2018-09-08 10:23:05 +02:00 · 788678feb8
commit 788678feb8
parent 5d714ab44e 7ce5b3515b
1 changed files with 82 additions and 0 deletions
--- a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml
+++ b/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml
@ -0,0 +1,82 @@
+title: Malicious Base64 encoded PowerShell Keywords in command lines
+status: experimental
+description: Detects base64 encoded strings used in hidden malicious PowerShell command lines 
+references:
+    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
+tags:
+    - attack.execution
+    - attack.1086
+author: John Lambert (rule)
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    encoded:
+        EventID: 4688
+        Image: '*\powershell.exe'
+        CommandLine: '* hidden *'
+    selection:
+        EventID: 4688
+        CommandLine:
+            # bitsadmin transfer
+            - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
+            - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
+            - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
+            - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
+            - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
+            - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
+            # chunk_size
+            - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
+            - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
+            - '*JGNodW5rX3Npem*'
+            - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
+            - '*RjaHVua19zaXpl*'
+            - '*Y2h1bmtfc2l6Z*'
+            # IO.Compression
+            - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
+            - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
+            - '*lPLkNvbXByZXNzaW9u*'
+            - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
+            - '*SU8uQ29tcHJlc3Npb2*'
+            - '*Ty5Db21wcmVzc2lvb*'
+            # IO.MemoryStream
+            - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
+            - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
+            - '*lPLk1lbW9yeVN0cmVhb*'
+            - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
+            - '*SU8uTWVtb3J5U3RyZWFt*'
+            - '*Ty5NZW1vcnlTdHJlYW*'
+            # GetChunk
+            - '*4ARwBlAHQAQwBoAHUAbgBrA*'
+            - '*5HZXRDaHVua*'
+            - '*AEcAZQB0AEMAaAB1AG4Aaw*'
+            - '*LgBHAGUAdABDAGgAdQBuAGsA*'
+            - '*LkdldENodW5r*'
+            - '*R2V0Q2h1bm*'
+            # THREAD INFO64
+            - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
+            - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
+            - '*RIUkVBRF9JTkZPNj*'
+            - '*SFJFQURfSU5GTzY0*'
+            - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
+            - '*VEhSRUFEX0lORk82N*'
+            # CreateRemoteThread
+            - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
+            - '*cmVhdGVSZW1vdGVUaHJlYW*'
+            - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
+            - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
+            - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
+            - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
+            # memmove
+            - '*0AZQBtAG0AbwB2AGUA*'
+            - '*1lbW1vdm*'
+            - '*AGUAbQBtAG8AdgBlA*'
+            - '*bQBlAG0AbQBvAHYAZQ*'
+            - '*bWVtbW92Z*'
+            - '*ZW1tb3Zl*'  
+
+    condition: encoded and selection
+falsepositives:
+    - Penetration tests
+level: high