detection.wiki

Detection rules › Sigma

PowerShell Base64 Encoded WMI Classes

Severity
high
Author
Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027 Obfuscated Files or Information

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection_img

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll

Stage 2: 1 of selection_cli_shadowcopy

or:
CommandLine|contains: V2luMzJfU2hhZG93Y29we
CommandLine|contains: 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'
CommandLine|contains: 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'
CommandLine|contains: XaW4zMl9TaGFkb3djb3B5
CommandLine|contains: 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'
CommandLine|contains: dpbjMyX1NoYWRvd2NvcH

Stage 3: 1 of selection_cli_scheduledJob

or:
CommandLine|contains: V2luMzJfU2NoZWR1bGVkSm9i
CommandLine|contains: 'VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA'
CommandLine|contains: 'XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg'
CommandLine|contains: XaW4zMl9TY2hlZHVsZWRKb2
CommandLine|contains: 'cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA'
CommandLine|contains: dpbjMyX1NjaGVkdWxlZEpvY

Stage 4: 1 of selection_cli_process

or:
CommandLine|contains: V2luMzJfUHJvY2Vzc
CommandLine|contains: 'VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw'
CommandLine|contains: 'XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA'
CommandLine|contains: XaW4zMl9Qcm9jZXNz
CommandLine|contains: 'cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA'
CommandLine|contains: dpbjMyX1Byb2Nlc3

Stage 5: 1 of selection_cli_useraccount

or:
CommandLine|contains: V2luMzJfVXNlckFjY291bn
CommandLine|contains: 'VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A'
CommandLine|contains: 'XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA'
CommandLine|contains: XaW4zMl9Vc2VyQWNjb3Vud
CommandLine|contains: 'cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA'
CommandLine|contains: dpbjMyX1VzZXJBY2NvdW50

Stage 6: 1 of selection_cli_loggedonuser

or:
CommandLine|contains: V2luMzJfTG9nZ2VkT25Vc2Vy
CommandLine|contains: 'VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA'
CommandLine|contains: 'XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg'
CommandLine|contains: XaW4zMl9Mb2dnZWRPblVzZX
CommandLine|contains: 'cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA'
CommandLine|contains: dpbjMyX0xvZ2dlZE9uVXNlc

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • V2luMzJfTG9nZ2VkT25Vc2Vy
  • V2luMzJfU2NoZWR1bGVkSm9i
  • V2luMzJfU2hhZG93Y29we
  • V2luMzJfUHJvY2Vzc
  • V2luMzJfVXNlckFjY291bn
  • VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA
  • VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw
  • VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA
  • VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ
  • VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A
  • XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg
  • XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA
  • XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg
  • XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A
  • XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA
  • XaW4zMl9Mb2dnZWRPblVzZX
  • XaW4zMl9Qcm9jZXNz
  • XaW4zMl9TY2hlZHVsZWRKb2
  • XaW4zMl9TaGFkb3djb3B5
  • XaW4zMl9Vc2VyQWNjb3Vud
  • cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA
  • cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA
  • cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA
  • cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA
  • cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA
  • dpbjMyX0xvZ2dlZE9uVXNlc
  • dpbjMyX1Byb2Nlc3
  • dpbjMyX1NjaGVkdWxlZEpvY
  • dpbjMyX1NoYWRvd2NvcH
  • dpbjMyX1VzZXJBY2NvdW50
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)