PowerShell ShellCode
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
PowerShell ShellCode | Standard | Windows | Defense Evasion: Process Injection (T1055), Privilege Escalation: Process Injection (T1055), Execution: Command and Scripting Interpreter - PowerShell (T1059.001) | Critical |
About the rule
Rule Type
Standard
Rule Description
This rule identifies Base64-encoded shellcode embedded within PowerShell scripts. Encoded strings like oicaaaayinlm or oijaaaayinlm are indicative of malicious payloads, commonly used to evade detection while executing shellcode directly in memory.
Severity
Trouble
Rule journey
Attack chain scenario
Stolen VPN credentials used for access → PowerShell script launched → Shellcode decoded from Base64 and executed → Remote access established → Tools downloaded for data theft
Impact
- Unauthorized in-memory code execution
- Evasion of disk-based antivirus tools
- Ransomware deployment
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly, enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED contains "OiCAAAAYInlM,OiJAAAAYInlM" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Process Injection (T1055), Privilege Escalation: Process Injection (T1055), Execution: Command and Scripting Interpreter - PowerShell (T1059.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of the script block execution that contains Base64 strings known to represent shellcode patterns. This enables you to monitor runtime environments like PowerShell, identify potential credential compromises, and detect attempts to create AD snapshots.
Author
David Ledbetter (shellcode), Florian Roth (Nextron Systems)
Future actions
Known False Positives
This rule might be triggered by custom scripts which are used for debugging or memory diagnostics.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell activities: Monitor for Base64-decoded commands and in-memory execution behavior.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1040 | For Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. | |
M1026 | Restrict privileges to execute PowerShell scripts to administrators and enforce limitations on the commands that can be executed via remote PowerShell sessions. | |
M1049 | Implement antivirus or antimalware scanning to isolate suspicious files. | |
M1045 | Configure policies that allow PowerShell to execute only signed scripts. | |
M1042 | Restrict or disable PowerShell on systems where it is not required. | |
M1038 | Restrict the execution of scripts that contain sensitive language elements i.e., malicious codes using the PowerShell Constrained Language mode. |
