Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| PayloadEntropyThreshold | Tune entropy threshold to distinguish obfuscation from legitimate compression |
| TimeWindow | Adjust correlation window between script execution and encoded file creation |
| SuspiciousParentProcessList | Customize based on environment to include LOLBins or admin tools misused for obfuscation |
Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Modification (DC0061) | auditd:SYSCALL | open, write |
| Command Execution (DC0064) | linux:cli | Shell history logs |
| Field | Description |
|---|---|
| CommandRegex | Customize for tools seen in environment (e.g., gzip, bzip2, xz) |
| SensitivePathList | Specify file paths likely targeted for obfuscation (e.g., /etc/, /home/) |
Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | log stream --predicate 'processImagePath contains "zip" OR "base64"' |
| File Creation (DC0039) | macos:osquery | file_events |
| Field | Description |
|---|---|
| FilenameExtensionList | Tunable to identify uncommon or encrypted file formats (e.g., .enc, .b64, .xz) |
| UserContext | Tune to prioritize unexpected file access by service accounts |
Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | networkdevice:IDS | content inspection / PCAP / HTTP body |
| Field | Description |
|---|---|
| EntropyThreshold | Adjust threshold to reduce false positives in compressed but benign data |
| ProtocolScope | Refine by enabling inspection of specific exfil vectors (e.g., FTP, HTTP POST) |
Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs).
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | esxi:vmkernel | Datastore modification events |
| OS API Execution (DC0021) | esxi:hostd | Remote access API calls and file uploads |
| Field | Description |
|---|---|
| StagingLocation | Tune based on observed adversary paths (e.g., /vmfs/volumes/...) |
| EncodedLengthThreshold | Tune length of encoded payloads before triggering detection |