heroui logo

Potential Data Exfiltration Via Audio File

Sigma Rules

View Source
Summary
This detection rule identifies potential data exfiltration attempts via the use of PowerShell scripts that create audio files. The approach relies on analyzing script blocks for specific commands and signatures indicative of audio file manipulation, particularly those relating to binary writing and file creation. Key elements being monitored include the presence of specific .NET System.Math, IO.FileMode, and BinaryWriter references in PowerShell scripts which are typically used in the context of writing files. Additionally, the rule examines if the script block text contains specific byte sequences common to WAV audio file headers, which are essential to identify valid audio data structures. If both conditions are satisfied, the rule raises an alert for potential unauthorized exfiltration of data using audio files, especially in environments where such activities could signify malicious intent. The requirement for Script Block Logging to be enabled ensures comprehensive monitoring of PowerShell activity, allowing for early detection of suspicious behaviors that may bypass conventional security controls.
Categories
  • Endpoint
  • Windows
Data Sources
  • Script
  • Process
Created: 2023-01-16