PowerShell Base64 Encoded WMI Classes

Rule Info

Name
PowerShell Base64 Encoded WMI Classes
Author
Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Description
Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.
Reference
https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
Date
2023-01-30 00:00:00
Modified
None
Id
1816994b-42e1-4fb1-afd2-134d88184f71
Tags
attack.execution attack.t1059.001 attack.defense_evasion attack.t1027 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1816994b-42e1-4fb1-afd2-134d88184f71

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
95793d73b
Nasreddine Bencherchali
feat: new rules, updates and fp fixes (#4162)
2023-04-11
2710bf471
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
feat: multiple updates and enhancements
2023-01-30
e6c155442
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022