Find sigma rule

Attack: Data Encoding: Standard Encoding

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

MITRE

Tactic

command-and-control

technique

T1132.001

Test : XOR Encoded data.

OS

windows

Description:

XOR encodes the data with a XOR key. Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f

Executor

powershell

Sigma Rule

proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)
proc_creation_win_powershell_xor_commandline.yml (id: bb780e0c-16cf-4383-8383-1e5471db6cf9)
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
posh_ps_script_with_upload_capabilities.yml (id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb)
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test