Rule Info
Name
PowerShell Base64 Encoded WMI Classes
Author
Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Description
Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.
Reference
Date
2023-01-30 00:00:00
Modified
None
Id
1816994b-42e1-4fb1-afd2-134d88184f71
Tags
attack.execution attack.t1059.001 attack.defense_evasion attack.t1027 DEMO
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18