title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1140
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '::FromBase64String('
    condition: selection
falsepositives:
    - Administrative script libraries
level: high

title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
    Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
    such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
    containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
    execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
    - http://blog.sevagas.com/?Hacking-around-HTA-files
    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
    - https://twitter.com/mattifestation/status/1326228491302563846
    - https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
    - attack.stealth
    - attack.t1140
    - attack.t1218.005
    - attack.execution
    - attack.t1059.007
    - cve.2020-1599
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mshta.exe'
        - OriginalFileName: 'mshta.exe'
    selection_cli:
        CommandLine|contains:
            - '.7z'
            - '.avi'
            - '.bat'
            - '.bmp'
            - '.conf'
            - '.csv'
            - '.dll'
            - '.doc'
            - '.gif'
            - '.gz'
            - '.ini'
            - '.jpe'
            - '.jpg'
            - '.json'
            - '.lnk'
            - '.log'
            - '.mkv'
            - '.mp3'
            - '.mp4'
            - '.pdf'
            - '.png'
            - '.ppt'
            - '.rar'
            - '.rtf'
            - '.svg'
            - '.tar'
            - '.tmp'
            - '.txt'
            - '.xls'
            - '.xml'
            - '.yaml'
            - '.yml'
            - '.zip'
            - 'vbscript'
            # - '.chm'  # could be prone to false positives
            # - '.exe'
    condition: all of selection_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

title: Ping Hex IP
id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
status: test
description: Detects a ping command that uses a hex encoded IP address
references:
    - https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna
    - https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth (Nextron Systems)
date: 2018-03-23
modified: 2025-10-17
tags:
    - attack.stealth
    - attack.t1140
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ping.exe'
        CommandLine|re: '0x[a-fA-F0-9]{8}'
    condition: selection
falsepositives:
    - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
level: high

title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
    Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
    - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
    - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: macos
    category: process_creation
detection:
    # Example:  /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
    # VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
    selection_image:
        Image|endswith: '/bash'
    selection_view:
        CommandLine|contains|all:
            - 'tail'
            - '-c'
    selection_b64:
        CommandLine|contains|all:
            - 'base64'
            - '-d' # Also covers "--decode"
            - '>'
    selection_files:
        CommandLine|contains:
            - '.avif'
            - '.gif'
            - '.jfif'
            - '.jpeg'
            - '.jpg'
            - '.pjp'
            - '.pjpeg'
            - '.png'
            - '.svg'
            - '.webp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: PowerShell Base64 Encoded FromBase64String Cmdlet
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-24
modified: 2023-04-06
tags:
    - attack.stealth
    - attack.t1140
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|base64offset|contains: '::FromBase64String'
        # UTF-16 LE
        - CommandLine|contains:
              - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
              - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
              - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'mcasSuspiciousInboxManipulationRules'
    condition: selection
falsepositives:
    - Actual mailbox rules that are moving items based on their workflow.
level: high

title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
    Detects when a user enables DNS-over-HTTPS.
    This can be used to hide internet activity or be used to hide the process of exfiltrating data.
    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
    - https://github.com/elastic/detection-rules/issues/1371
    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1140
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_edge:
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
        Details: DWORD (0x00000001)
    selection_chrome:
        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
        Details: 'secure'
    selection_firefox:
        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
        Details: DWORD (0x00000001)
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: medium

title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
    - https://github.com/arget13/DDexec
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection_base64:
        CommandLine|contains: 'base64 '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - ' |sh'
              - '| bash'
              - '| sh'
              - '|bash'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: medium

title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
    - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
            - "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
            - "IyEvYmluL3pza" # Note: #!/bin/zsh"
            - "IyEvYmluL2Zpc2" # Note: #!/bin/fish
            - "IyEvYmluL3No" # Note: # !/bin/sh"
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Linux Shell Pipe to Shell
id: 880973f3-9708-491c-a77b-2a35a1921158
status: test
description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
modified: 2022-07-26
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|startswith:
            - 'sh -c '
            - 'bash -c '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - '| bash'
              - '| sh'
              - '|bash'
              - ' |sh'
    condition: all of selection*
falsepositives:
    - Legitimate software that uses these patterns
level: medium

title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
    - attack.stealth
    - attack.t1059
    - attack.t1204
    - attack.execution
    - attack.t1140
    - attack.s0482
    - attack.s0402
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/openssl'
        CommandLine|contains|all:
            - '/Volumes/'
            - 'enc'
            - '-base64'
            - ' -d '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Commandline Obfuscation Using Escape Characters
id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
status: test
description: Detects potential commandline obfuscation using known escape characters
references:
    - https://twitter.com/vysecurity/status/885545634958385153
    - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link
    - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link
    - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques
    - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
date: 2018-12-11
modified: 2023-03-03
tags:
    - attack.stealth
    - attack.t1140
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # - <TAB>   # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
            - 'h^t^t^p'
            - 'h"t"t"p'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
      type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
    - https://redcanary.com/blog/yellow-cockatoo/
    - https://zero2auto.com/2020/05/19/netwalker-re/
    - https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1140
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Description: 'Windows PowerShell'
        - Product: 'PowerShell Core 6'
    selection_cli_xor:
        CommandLine|contains: 'bxor'
    selection_cli_other:
        CommandLine|contains:
            - 'ForEach'
            - 'for('
            - 'for '
            - '-join '
            - "-join'"
            - '-join"'
            - '-join`'
            - '::Join'
            - '[char]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: PowerShell Decompress Commands
id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
related:
    - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
      type: derived
status: test
description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/8
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains: 'Expand-Archive'
    condition: selection_4103
falsepositives:
    - Unknown
level: informational