
Summary
This rule detects the presence of a Portable Executable (PE) file encoded within PowerShell scripts by identifying encoded headers commonly used by attackers to inject malicious executables into memory. The base64 encoded PEs are a tactic employed by threat actors to bypass file-based defenses by executing code directly in memory without writing to disk. The querying mechanism utilizes the Elastic Stack, specifically Windows logs captured through winlogbeat and PowerShell logs. The investigation guide provides steps to analyze the triggering script, examine related services, and track abnormal behavior to identify potential malware, enabling a proactive response to security incidents. The rule leverages indicators from the MITRE ATT&CK framework to classify techniques and tactics related to execution and defense evasion.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Logon Session
- Script
- Application Log
- Network Share
ATT&CK Techniques
- T1059
- T1059.001
- T1055
Created: 2021-10-15