Detection rules › Sigma
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1027 Obfuscated Files or Information |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection
or:
CommandLine|contains: '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
CommandLine|contains: '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
CommandLine|contains: '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
CommandLine|contains: '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
CommandLine|contains: '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
CommandLine|contains: '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
CommandLine|contains: 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
CommandLine|contains: 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
CommandLine|contains: 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
CommandLine|contains: 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
CommandLine|contains: 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
CommandLine|contains: 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
CommandLine|contains: 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
CommandLine|contains: 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
CommandLine|contains: 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
CommandLine|contains: 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
CommandLine|contains: 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
CommandLine|contains: 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|