Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
--- a/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml
@@ -0,0 +1,33 @@
+
+title: PowerShell ShellCode
+ruletype: Sigma
+author: David Ledbetter (shellcode), Florian Roth (rule)
+date: 2018/11/17
+description: Detects Base64 encoded Shellcode
+detection:
+  SELECTION_1:
+    ScriptBlockText: '*AAAAYInlM*'
+  SELECTION_2:
+    ScriptBlockText:
+    - '*OiCAAAAYInlM*'
+    - '*OiJAAAAYInlM*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
+level: critical
+logsource:
+  category: ps_script
+  definition: Script block logging must be enabled
+  product: windows
+modified: 2021/10/16
+references:
+- https://twitter.com/cyb3rops/status/1063072865992523776
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+- attack.execution
+- attack.t1059.001
+- attack.t1086