EXPLORE
Sign In
← Back to Explore
sigmahighHunting

PowerShell Base64 Encoded WMI Classes

Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.

MITRE ATT&CK

T1059.001T1027
executiondefense-evasion

Detection Query

selection_img:
  - Image|endswith:
      - \powershell.exe
      - \pwsh.exe
  - OriginalFileName:
      - PowerShell.EXE
      - pwsh.dll
selection_cli_shadowcopy:
  CommandLine|contains:
    - VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ
    - cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA
    - XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A
    - V2luMzJfU2hhZG93Y29we
    - dpbjMyX1NoYWRvd2NvcH
    - XaW4zMl9TaGFkb3djb3B5
selection_cli_scheduledJob:
  CommandLine|contains:
    - VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA
    - cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA
    - XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg
    - V2luMzJfU2NoZWR1bGVkSm9i
    - dpbjMyX1NjaGVkdWxlZEpvY
    - XaW4zMl9TY2hlZHVsZWRKb2
selection_cli_process:
  CommandLine|contains:
    - VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw
    - cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA
    - XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA
    - V2luMzJfUHJvY2Vzc
    - dpbjMyX1Byb2Nlc3
    - XaW4zMl9Qcm9jZXNz
selection_cli_useraccount:
  CommandLine|contains:
    - VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A
    - cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA
    - XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA
    - V2luMzJfVXNlckFjY291bn
    - dpbjMyX1VzZXJBY2NvdW50
    - XaW4zMl9Vc2VyQWNjb3Vud
selection_cli_loggedonuser:
  CommandLine|contains:
    - VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA
    - cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA
    - XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg
    - V2luMzJfTG9nZ2VkT25Vc2Vy
    - dpbjMyX0xvZ2dlZE9uVXNlc
    - XaW4zMl9Mb2dnZWRPblVzZX
condition: selection_img and 1 of selection_cli_*

Author

Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Created

2023-01-30

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001attack.defense-evasionattack.t1027
Raw Content
title: PowerShell Base64 Encoded WMI Classes
id: 1816994b-42e1-4fb1-afd2-134d88184f71
related:
    - id: 47688f1b-9f51-4656-b013-3cc49a166a36
      type: obsolete
status: test
description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
references:
    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-30
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense-evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_shadowcopy:
        # Win32_ShadowCopy
        CommandLine|contains:
            - 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'
            - 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'
            - 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'
            - 'V2luMzJfU2hhZG93Y29we'
            - 'dpbjMyX1NoYWRvd2NvcH'
            - 'XaW4zMl9TaGFkb3djb3B5'
    selection_cli_scheduledJob:
        # Win32_ScheduledJob
        CommandLine|contains:
            - 'VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA'
            - 'cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA'
            - 'XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg'
            - 'V2luMzJfU2NoZWR1bGVkSm9i'
            - 'dpbjMyX1NjaGVkdWxlZEpvY'
            - 'XaW4zMl9TY2hlZHVsZWRKb2'
    selection_cli_process:
        # Win32_Process
        CommandLine|contains:
            - 'VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw'
            - 'cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA'
            - 'XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA'
            - 'V2luMzJfUHJvY2Vzc'
            - 'dpbjMyX1Byb2Nlc3'
            - 'XaW4zMl9Qcm9jZXNz'
    selection_cli_useraccount:
        # Win32_UserAccount
        CommandLine|contains:
            - 'VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A'
            - 'cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA'
            - 'XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA'
            - 'V2luMzJfVXNlckFjY291bn'
            - 'dpbjMyX1VzZXJBY2NvdW50'
            - 'XaW4zMl9Vc2VyQWNjb3Vud'
    selection_cli_loggedonuser:
        # Win32_LoggedOnUser
        CommandLine|contains:
            - 'VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA'
            - 'cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA'
            - 'XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg'
            - 'V2luMzJfTG9nZ2VkT25Vc2Vy'
            - 'dpbjMyX0xvZ2dlZE9uVXNlc'
            - 'XaW4zMl9Mb2dnZWRPblVzZX'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Unknown
level: high