The reverse-shell-nishang-base64 rule detects adversaries using PowerShell to establish a reverse shell via Base64 encoding, leveraging the Nishang toolkit for command and control. SOC teams should proactively hunt for this behavior as it indicates potential compromise and lateral movement within Azure environments.
KQL Query
DeviceProcessEvents
| where FileName in("powershell.exe","powershell_ise.exe") and ProcessCommandLine contains "-e"
| mvexpand SS = split(ProcessCommandLine, " ")
| where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}"
| extend DecodeString = base64_decodestring(tostring(SS))
| extend FinalString = replace("\\0", "", DecodeString)
| where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex")
id: 5d091733-0e7e-4331-b2f1-127cb36e516e
name: reverse-shell-nishang-base64
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query finds evidence of Base64-encoded commands used by the Nishang penetration testing framework to load a reverse TCP shell. This might indicate an attacker has remote access to the device.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Persistence
- Exfiltration
query: |
DeviceProcessEvents
| where FileName in("powershell.exe","powershell_ise.exe") and ProcessCommandLine contains "-e"
| mvexpand SS = split(ProcessCommandLine, " ")
| where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}"
| extend DecodeString = base64_decodestring(tostring(SS))
| extend FinalString = replace("\\0", "", DecodeString)
| where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Using Base64 Encoding for Log Rotation
Description: A system administrator uses base64 to encode log files for rotation, which triggers the rule due to base64 encoding in the process.
Filter/Exclusion: Exclude processes related to log rotation (e.g., logrotate, rsyslog, or syslog-ng) or filter by command-line arguments containing logrotate or rotate.
Scenario: PowerShell Base64 Decoding for Script Execution
Description: A legitimate PowerShell script is encoded in base64 and decoded using Invoke-Base64Decode as part of a script deployment or automation task.
Filter/Exclusion: Exclude processes with PowerShell.exe and command-line arguments containing Invoke-Base64Decode, script.ps1, or deploy.
Scenario: Admin Task Using Base64 for Data Encoding
Description: An admin uses base64 encoding to securely transmit sensitive data (e.g., credentials or tokens) between systems as part of a secure communication protocol.
Filter/Exclusion: Exclude processes with base64 in the command line and filter by user accounts with admin privileges (e.g., root, Administrator, or svc_account).
Scenario: Nishang Module Execution for Security Testing
Description: A red team or security team member uses the Nishang module Invoke-Base64 to test system resilience or perform a controlled reverse shell simulation.
Filter/Exclusion: Exclude processes initiated from known security testing tools (e.g., Nishang, PowerSploit, or Metasploit) or filter by user accounts associated with security testing (e.g., security_team, pentester).
Scenario: Base64 Encoding in Custom Application Logic