id: 87c1f90a-f868-4528-a9c1-15520249cae6
name: Nishang Reverse TCP Shell in Base64
description: |
  'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
  Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
tactics:
  - Exfiltration
relevantTechniques:
  - T1011
query: |
  SecurityEvent
  | where EventID == 4688
  | where Process in("powershell.exe","powershell_ise.exe") and CommandLine contains "-e" 
  | mvexpand SS = split(CommandLine, " ") 
  | where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}" 
  | extend DecodeString = base64_decodestring(tostring(SS)) 
  | extend FinalString = replace("\\0", "", DecodeString) 
  | where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex") 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity