detection.wiki

Detection rules › Sigma

Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

Status
test
Severity
high
Log source
product windows, category process_creation
Author
pH-T (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
StealthT1027 Obfuscated Files or Information

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Rule body yaml

title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
related:
    - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
      type: similar
status: test
description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
references:
    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
    - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
author: pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # ::("L"+"oad")
            - 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
            - 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
            - '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
            # ::("Lo"+"ad")
            - 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
            - 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
            - '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
            # ::("Loa"+"d")
            - 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
            - 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
            - '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
            # ::('L'+'oad')
            - 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
            - 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
            - '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
            # ::('Lo'+'ad')
            - 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
            - 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
            - '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
            # ::('Loa'+'d')
            - 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
            - 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
            - '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
    condition: selection
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    CommandLine|contains:
        - 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
        - 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
        - '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
        - 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
        - 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
        - '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
        - 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
        - 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
        - '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
        - 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
        - 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
        - '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
        - 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
        - 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
        - '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
        - 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
        - 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
        - '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • 6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA
  • 6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA
  • 6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA
  • 6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA
  • 6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA
  • 6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA
  • OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ
  • OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ
  • OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ
  • OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ
  • OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ
  • OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ
  • oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA
  • oAOgAoACIATABvACIAKwAiAGEAZAAiACkA
  • oAOgAoACIATABvAGEAIgArACIAZAAiACkA
  • oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA
  • oAOgAoACcATABvACcAKwAnAGEAZAAnACkA
  • oAOgAoACcATABvAGEAJwArACcAZAAnACkA