Net WebClient Casing Anomalies

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll

Stage 2: `all of selection_encoded`

or:
CommandLine|contains: 4ARQB0AC4AVwBFAEIA
CommandLine|contains: 4ARQB0AC4AVwBFAGIA
CommandLine|contains: 4ARQB0AC4AVwBlAEIA
CommandLine|contains: 4ARQB0AC4AVwBlAGIA
CommandLine|contains: 4ARQB0AC4AdwBFAEIA
CommandLine|contains: 4ARQB0AC4AdwBFAGIA
CommandLine|contains: 4ARQB0AC4AdwBlAEIA
CommandLine|contains: 4ARQB0AC4AdwBlAGIA
CommandLine|contains: 4ARQBUAC4AVwBFAEIA
CommandLine|contains: 4ARQBUAC4AVwBFAGIA
CommandLine|contains: 4ARQBUAC4AVwBlAEIA
CommandLine|contains: 4ARQBUAC4AVwBlAGIA
CommandLine|contains: 4ARQBUAC4AdwBFAEIA
CommandLine|contains: 4ARQBUAC4AdwBFAGIA
CommandLine|contains: 4ARQBUAC4AdwBlAEIA
CommandLine|contains: 4ARQBUAC4AdwBlAGIA
CommandLine|contains: 4AZQB0AC4AVwBFAEIA
CommandLine|contains: 4AZQB0AC4AVwBFAGIA
CommandLine|contains: 4AZQB0AC4AVwBlAEIA
CommandLine|contains: 4AZQB0AC4AVwBlAGIA
CommandLine|contains: 4AZQB0AC4AdwBFAEIA
CommandLine|contains: 4AZQB0AC4AdwBFAGIA
CommandLine|contains: 4AZQB0AC4AdwBlAEIA
CommandLine|contains: 4AZQBUAC4AVwBFAEIA
CommandLine|contains: 4AZQBUAC4AVwBFAGIA
CommandLine|contains: 4AZQBUAC4AVwBlAEIA
CommandLine|contains: 4AZQBUAC4AVwBlAGIA
CommandLine|contains: 4AZQBUAC4AdwBFAEIA
CommandLine|contains: 4AZQBUAC4AdwBFAGIA
CommandLine|contains: 4AZQBUAC4AdwBlAEIA
CommandLine|contains: 4AZQBUAC4AdwBlAGIA
CommandLine|contains: OAEUAVAAuAFcARQBiA
CommandLine|contains: OAEUAVAAuAFcAZQBCA
CommandLine|contains: OAEUAVAAuAHcARQBCA
CommandLine|contains: OAEUAVAAuAHcARQBiA
CommandLine|contains: OAEUAVAAuAHcAZQBCA
CommandLine|contains: OAEUAdAAuAFcARQBCA
CommandLine|contains: OAEUAdAAuAFcARQBiA
CommandLine|contains: OAEUAdAAuAFcAZQBCA
CommandLine|contains: OAEUAdAAuAFcAZQBiA
CommandLine|contains: OAEUAdAAuAHcARQBCA
CommandLine|contains: OAEUAdAAuAHcARQBiA
CommandLine|contains: OAEUAdAAuAHcAZQBCA
CommandLine|contains: OAEUAdAAuAHcAZQBiA
CommandLine|contains: OAGUAVAAuAFcARQBCA
CommandLine|contains: OAGUAVAAuAFcARQBiA
CommandLine|contains: OAGUAVAAuAFcAZQBCA
CommandLine|contains: OAGUAVAAuAFcAZQBiA
CommandLine|contains: OAGUAVAAuAHcARQBCA
CommandLine|contains: OAGUAVAAuAHcARQBiA
CommandLine|contains: OAGUAVAAuAHcAZQBCA
CommandLine|contains: OAGUAVAAuAHcAZQBiA
CommandLine|contains: OAGUAdAAuAFcARQBCA
CommandLine|contains: OAGUAdAAuAFcARQBiA
CommandLine|contains: OAGUAdAAuAFcAZQBCA
CommandLine|contains: OAGUAdAAuAHcARQBCA
CommandLine|contains: OAGUAdAAuAHcARQBiA
CommandLine|contains: OAGUAdAAuAHcAZQBCA
CommandLine|contains: TgBFAFQALgB3AEUAQg
CommandLine|contains: TgBFAFQALgB3AEUAYg
CommandLine|contains: TgBFAFQALgB3AGUAQg
CommandLine|contains: TgBFAFQALgBXAEUAYg
CommandLine|contains: TgBFAFQALgBXAGUAQg
CommandLine|contains: TgBFAHQALgB3AEUAQg
CommandLine|contains: TgBFAHQALgB3AEUAYg
CommandLine|contains: TgBFAHQALgB3AGUAQg
CommandLine|contains: TgBFAHQALgB3AGUAYg
CommandLine|contains: TgBFAHQALgBXAEUAQg
CommandLine|contains: TgBFAHQALgBXAEUAYg
CommandLine|contains: TgBFAHQALgBXAGUAQg
CommandLine|contains: TgBFAHQALgBXAGUAYg
CommandLine|contains: TgBlAFQALgB3AEUAQg
CommandLine|contains: TgBlAFQALgB3AEUAYg
CommandLine|contains: TgBlAFQALgB3AGUAQg
CommandLine|contains: TgBlAFQALgB3AGUAYg
CommandLine|contains: TgBlAFQALgBXAEUAQg
CommandLine|contains: TgBlAFQALgBXAEUAYg
CommandLine|contains: TgBlAFQALgBXAGUAQg
CommandLine|contains: TgBlAFQALgBXAGUAYg
CommandLine|contains: TgBlAHQALgB3AEUAQg
CommandLine|contains: TgBlAHQALgB3AEUAYg
CommandLine|contains: TgBlAHQALgB3AGUAQg
CommandLine|contains: TgBlAHQALgBXAEUAQg
CommandLine|contains: TgBlAHQALgBXAEUAYg
CommandLine|contains: TgBlAHQALgBXAGUAQg
CommandLine|contains: bgBFAFQALgB3AEUAQg
CommandLine|contains: bgBFAFQALgB3AEUAYg
CommandLine|contains: bgBFAFQALgB3AGUAQg
CommandLine|contains: bgBFAFQALgB3AGUAYg
CommandLine|contains: bgBFAFQALgBXAEUAQg
CommandLine|contains: bgBFAFQALgBXAEUAYg
CommandLine|contains: bgBFAFQALgBXAGUAQg
CommandLine|contains: bgBFAFQALgBXAGUAYg
CommandLine|contains: bgBFAHQALgB3AEUAQg
CommandLine|contains: bgBFAHQALgB3AEUAYg
CommandLine|contains: bgBFAHQALgB3AGUAQg
CommandLine|contains: bgBFAHQALgB3AGUAYg
CommandLine|contains: bgBFAHQALgBXAEUAQg
CommandLine|contains: bgBFAHQALgBXAEUAYg
CommandLine|contains: bgBFAHQALgBXAGUAQg
CommandLine|contains: bgBFAHQALgBXAGUAYg
CommandLine|contains: bgBlAFQALgB3AEUAQg
CommandLine|contains: bgBlAFQALgB3AEUAYg
CommandLine|contains: bgBlAFQALgB3AGUAQg
CommandLine|contains: bgBlAFQALgB3AGUAYg
CommandLine|contains: bgBlAFQALgBXAEUAQg
CommandLine|contains: bgBlAFQALgBXAEUAYg
CommandLine|contains: bgBlAFQALgBXAGUAQg
CommandLine|contains: bgBlAFQALgBXAGUAYg
CommandLine|contains: bgBlAHQALgB3AEUAQg
CommandLine|contains: bgBlAHQALgB3AEUAYg
CommandLine|contains: bgBlAHQALgB3AGUAQg
CommandLine|contains: bgBlAHQALgBXAEUAYg
CommandLine|contains: bgBlAHQALgBXAGUAQg
CommandLine|contains: bgBlAHQALgBXAGUAYg
CommandLine|contains: uAEUAVAAuAFcARQBCA
CommandLine|contains: uAEUAVAAuAFcARQBiA
CommandLine|contains: uAEUAVAAuAFcAZQBCA
CommandLine|contains: uAEUAVAAuAFcAZQBiA
CommandLine|contains: uAEUAVAAuAHcARQBCA
CommandLine|contains: uAEUAVAAuAHcARQBiA
CommandLine|contains: uAEUAVAAuAHcAZQBCA
CommandLine|contains: uAEUAVAAuAHcAZQBiA
CommandLine|contains: uAEUAdAAuAFcARQBCA
CommandLine|contains: uAEUAdAAuAFcARQBiA
CommandLine|contains: uAEUAdAAuAFcAZQBCA
CommandLine|contains: uAEUAdAAuAFcAZQBiA
CommandLine|contains: uAEUAdAAuAHcARQBCA
CommandLine|contains: uAEUAdAAuAHcARQBiA
CommandLine|contains: uAEUAdAAuAHcAZQBCA
CommandLine|contains: uAEUAdAAuAHcAZQBiA
CommandLine|contains: uAGUAVAAuAFcARQBCA
CommandLine|contains: uAGUAVAAuAFcARQBiA
CommandLine|contains: uAGUAVAAuAFcAZQBCA
CommandLine|contains: uAGUAVAAuAFcAZQBiA
CommandLine|contains: uAGUAVAAuAHcARQBCA
CommandLine|contains: uAGUAVAAuAHcARQBiA
CommandLine|contains: uAGUAVAAuAHcAZQBCA
CommandLine|contains: uAGUAVAAuAHcAZQBiA
CommandLine|contains: uAGUAdAAuAFcARQBiA
CommandLine|contains: uAGUAdAAuAFcAZQBCA
CommandLine|contains: uAGUAdAAuAFcAZQBiA
CommandLine|contains: uAGUAdAAuAHcARQBCA
CommandLine|contains: uAGUAdAAuAHcARQBiA
CommandLine|contains: uAGUAdAAuAHcAZQBCA

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`4ARQB0AC4AVwBFAEIA` `4ARQB0AC4AVwBFAGIA` `4ARQB0AC4AVwBlAEIA` `4ARQB0AC4AVwBlAGIA` `4ARQB0AC4AdwBFAEIA` `4ARQB0AC4AdwBFAGIA` `4ARQB0AC4AdwBlAEIA` `4ARQB0AC4AdwBlAGIA` `4ARQBUAC4AVwBFAEIA` `4ARQBUAC4AVwBFAGIA` `4ARQBUAC4AVwBlAEIA` `4ARQBUAC4AVwBlAGIA` `4ARQBUAC4AdwBFAEIA` `4ARQBUAC4AdwBFAGIA` `4ARQBUAC4AdwBlAEIA` `4ARQBUAC4AdwBlAGIA` `4AZQB0AC4AVwBFAEIA` `4AZQB0AC4AVwBFAGIA` `4AZQB0AC4AVwBlAEIA` `4AZQB0AC4AVwBlAGIA` `4AZQB0AC4AdwBFAEIA` `4AZQB0AC4AdwBFAGIA` `4AZQB0AC4AdwBlAEIA` `4AZQBUAC4AVwBFAEIA` `4AZQBUAC4AVwBFAGIA` `4AZQBUAC4AVwBlAEIA` `4AZQBUAC4AVwBlAGIA` `4AZQBUAC4AdwBFAEIA` `4AZQBUAC4AdwBFAGIA` `4AZQBUAC4AdwBlAEIA` `4AZQBUAC4AdwBlAGIA` `OAEUAVAAuAFcARQBiA` `OAEUAVAAuAFcAZQBCA` `OAEUAVAAuAHcARQBCA` `OAEUAVAAuAHcARQBiA` `OAEUAVAAuAHcAZQBCA` `OAEUAdAAuAFcARQBCA` `OAEUAdAAuAFcARQBiA` `OAEUAdAAuAFcAZQBCA` `OAEUAdAAuAFcAZQBiA` `OAEUAdAAuAHcARQBCA` `OAEUAdAAuAHcARQBiA` `OAEUAdAAuAHcAZQBCA` `OAEUAdAAuAHcAZQBiA` `OAGUAVAAuAFcARQBCA` `OAGUAVAAuAFcARQBiA` `OAGUAVAAuAFcAZQBCA` `OAGUAVAAuAFcAZQBiA` `OAGUAVAAuAHcARQBCA` `OAGUAVAAuAHcARQBiA` `OAGUAVAAuAHcAZQBCA` `OAGUAVAAuAHcAZQBiA` `OAGUAdAAuAFcARQBCA` `OAGUAdAAuAFcARQBiA` `OAGUAdAAuAFcAZQBCA` `OAGUAdAAuAHcARQBCA` `OAGUAdAAuAHcARQBiA` `OAGUAdAAuAHcAZQBCA` `TgBFAFQALgB3AEUAQg` `TgBFAFQALgB3AEUAYg` `TgBFAFQALgB3AGUAQg` `TgBFAFQALgBXAEUAYg` `TgBFAFQALgBXAGUAQg` `TgBFAHQALgB3AEUAQg` `TgBFAHQALgB3AEUAYg` `TgBFAHQALgB3AGUAQg` `TgBFAHQALgB3AGUAYg` `TgBFAHQALgBXAEUAQg` `TgBFAHQALgBXAEUAYg` `TgBFAHQALgBXAGUAQg` `TgBFAHQALgBXAGUAYg` `TgBlAFQALgB3AEUAQg` `TgBlAFQALgB3AEUAYg` `TgBlAFQALgB3AGUAQg` `TgBlAFQALgB3AGUAYg` `TgBlAFQALgBXAEUAQg` `TgBlAFQALgBXAEUAYg` `TgBlAFQALgBXAGUAQg` `TgBlAFQALgBXAGUAYg` `TgBlAHQALgB3AEUAQg` `TgBlAHQALgB3AEUAYg` `TgBlAHQALgB3AGUAQg` `TgBlAHQALgBXAEUAQg` `TgBlAHQALgBXAEUAYg` `TgBlAHQALgBXAGUAQg` `bgBFAFQALgB3AEUAQg` `bgBFAFQALgB3AEUAYg` `bgBFAFQALgB3AGUAQg` `bgBFAFQALgB3AGUAYg` `bgBFAFQALgBXAEUAQg` `bgBFAFQALgBXAEUAYg` `bgBFAFQALgBXAGUAQg` `bgBFAFQALgBXAGUAYg` `bgBFAHQALgB3AEUAQg` `bgBFAHQALgB3AEUAYg` `bgBFAHQALgB3AGUAQg` `bgBFAHQALgB3AGUAYg` `bgBFAHQALgBXAEUAQg` `bgBFAHQALgBXAEUAYg` `bgBFAHQALgBXAGUAQg` `bgBFAHQALgBXAGUAYg` `bgBlAFQALgB3AEUAQg` `bgBlAFQALgB3AEUAYg` `bgBlAFQALgB3AGUAQg` `bgBlAFQALgB3AGUAYg` `bgBlAFQALgBXAEUAQg` `bgBlAFQALgBXAEUAYg` `bgBlAFQALgBXAGUAQg` `bgBlAFQALgBXAGUAYg` `bgBlAHQALgB3AEUAQg` `bgBlAHQALgB3AEUAYg` `bgBlAHQALgB3AGUAQg` `bgBlAHQALgBXAEUAYg` `bgBlAHQALgBXAGUAQg` `bgBlAHQALgBXAGUAYg` `uAEUAVAAuAFcARQBCA` `uAEUAVAAuAFcARQBiA` `uAEUAVAAuAFcAZQBCA` `uAEUAVAAuAFcAZQBiA` `uAEUAVAAuAHcARQBCA` `uAEUAVAAuAHcARQBiA` `uAEUAVAAuAHcAZQBCA` `uAEUAVAAuAHcAZQBiA` `uAEUAdAAuAFcARQBCA` `uAEUAdAAuAFcARQBiA` `uAEUAdAAuAFcAZQBCA` `uAEUAdAAuAFcAZQBiA` `uAEUAdAAuAHcARQBCA` `uAEUAdAAuAHcARQBiA` `uAEUAdAAuAHcAZQBCA` `uAEUAdAAuAHcAZQBiA` `uAGUAVAAuAFcARQBCA` `uAGUAVAAuAFcARQBiA` `uAGUAVAAuAFcAZQBCA` `uAGUAVAAuAFcAZQBiA` `uAGUAVAAuAHcARQBCA` `uAGUAVAAuAHcARQBiA` `uAGUAVAAuAHcAZQBCA` `uAGUAVAAuAHcAZQBiA` `uAGUAdAAuAFcARQBiA` `uAGUAdAAuAFcAZQBCA` `uAGUAdAAuAFcAZQBiA` `uAGUAdAAuAHcARQBCA` `uAGUAdAAuAHcARQBiA` `uAGUAdAAuAHcAZQBCA`
`Image`	ends_with	`\powershell.exe` corpus 143 (sigma 143) `\pwsh.exe` corpus 140 (sigma 140)
`OriginalFileName`	eq	`PowerShell.EXE` corpus 64 (sigma 60, splunk 4) `pwsh.dll` corpus 72 (sigma 68, splunk 4)