detection.wiki

Detection rules › Sigma

Suspicious Obfuscated PowerShell Code

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: AALQBiAHgAbwByACAAMAB4A
CommandLine|contains: AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg
CommandLine|contains: AHsAMAB9AHsAMwB9ACIAIAAtAGYAI
CommandLine|contains: AHsAMAB9AHsAMwB9ACcAIAAtAGYAI
CommandLine|contains: AHsAMQB9AHsAMAB9ACIAIAAtAGYAI
CommandLine|contains: AHsAMQB9AHsAMAB9ACcAIAAtAGYAI
CommandLine|contains: AHsAMgB9AHsAMAB9ACIAIAAtAGYAI
CommandLine|contains: AHsAMgB9AHsAMAB9ACcAIAAtAGYAI
CommandLine|contains: ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC
CommandLine|contains: AewAwAH0AewAzAH0AIgAgAC0AZgAg
CommandLine|contains: AewAwAH0AewAzAH0AJwAgAC0AZgAg
CommandLine|contains: AewAxAH0AewAwAH0AIgAgAC0AZgAg
CommandLine|contains: AewAxAH0AewAwAH0AJwAgAC0AZgAg
CommandLine|contains: AewAyAH0AewAwAH0AIgAgAC0AZgAg
CommandLine|contains: AewAyAH0AewAwAH0AJwAgAC0AZgAg
CommandLine|contains: AuAEkAbgB2AG8AawBlACgAKQAgAHwAI
CommandLine|contains: B7ADAAfQB7ADMAfQAiACAALQBmAC
CommandLine|contains: B7ADAAfQB7ADMAfQAnACAALQBmAC
CommandLine|contains: B7ADEAfQB7ADAAfQAiACAALQBmAC
CommandLine|contains: B7ADEAfQB7ADAAfQAnACAALQBmAC
CommandLine|contains: B7ADIAfQB7ADAAfQAiACAALQBmAC
CommandLine|contains: B7ADIAfQB7ADAAfQAnACAALQBmAC
CommandLine|contains: IAAtAGIAeABvAHIAIAAwAHgA
CommandLine|contains: gAC0AYgB4AG8AcgAgADAAeA

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • AALQBiAHgAbwByACAAMAB4A
  • AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg
  • AHsAMAB9AHsAMwB9ACIAIAAtAGYAI
  • AHsAMAB9AHsAMwB9ACcAIAAtAGYAI
  • AHsAMQB9AHsAMAB9ACIAIAAtAGYAI
  • AHsAMQB9AHsAMAB9ACcAIAAtAGYAI
  • AHsAMgB9AHsAMAB9ACIAIAAtAGYAI
  • AHsAMgB9AHsAMAB9ACcAIAAtAGYAI
  • ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC
  • AewAwAH0AewAzAH0AIgAgAC0AZgAg
  • AewAwAH0AewAzAH0AJwAgAC0AZgAg
  • AewAxAH0AewAwAH0AIgAgAC0AZgAg
  • AewAxAH0AewAwAH0AJwAgAC0AZgAg
  • AewAyAH0AewAwAH0AIgAgAC0AZgAg
  • AewAyAH0AewAwAH0AJwAgAC0AZgAg
  • AuAEkAbgB2AG8AawBlACgAKQAgAHwAI
  • B7ADAAfQB7ADMAfQAiACAALQBmAC
  • B7ADAAfQB7ADMAfQAnACAALQBmAC
  • B7ADEAfQB7ADAAfQAiACAALQBmAC
  • B7ADEAfQB7ADAAfQAnACAALQBmAC
  • B7ADIAfQB7ADAAfQAiACAALQBmAC
  • B7ADIAfQB7ADAAfQAnACAALQBmAC
  • IAAtAGIAeABvAHIAIAAwAHgA
  • gAC0AYgB4AG8AcgAgADAAeA