Detection of processes that load or decode encrypted/encoded files in memory and subsequently execute or inject them, indicating payload unpacking or memory-resident malware.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| Image | Path of decoder utilities (e.g., certutil.exe, powershell.exe) can vary across environments. |
| CommandLine | Base64/hex strings used may change per encoded payload. |
| TimeWindow | The duration between file decode and execution may differ across implementations. |
Detection of suspicious use of shell utilities or scripts that decode or decrypt a payload and execute it without writing to disk.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | linux:Sysmon | EventCode=22 |
| Field | Description |
|---|---|
| UserContext | Normal usage of `base64`, `openssl`, or `gpg` varies by user/role. |
| ProcessLineage | Parent-child process chains may differ across deployments. |
| TimeWindow | Time between decode and execution is implementation-specific. |
Detection of encoded payloads being decoded and executed in-memory using scripting tools or third-party decoders.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | log stream |
| Process Creation (DC0032) | macos:endpointsecurity | es_event_exec |
| Process Modification (DC0020) | macos:unifiedlog | memory mapping |
| Field | Description |
|---|---|
| ScriptContent | Encoded payload content varies across adversaries. |
| ExecutionChain | Sequence of tools or scripts executed can differ. |
| UserContext | May depend on whether user is admin, daemon, or system account. |