Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Data Exfiltration Via Audio File

Detects potential exfiltration attempt via audio file using PowerShell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Jan 16e4f93c99-396f-47c8-bb0f-201b1fa69034windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    selection_main:
        ScriptBlockText|contains|all:
            - '[System.Math]::'
            - '[IO.FileMode]::'
            - 'BinaryWriter'
    selection_header_wav:
        ScriptBlockText|contains|all:
            # Byte chunks from the WAV header used in the example POC
            # You can extend this for different audio formats by adding different selections
            - '0x52'
            - '0x49'
            - '0x46'
            - '0x57'
            - '0x41'
            - '0x56'
            - '0x45'
            - '0xAC'
    condition: selection_main and 1 of selection_header_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
e4f93c99-396f-47c8-bb0f-201b1fa69034
Status
test
Level
medium
Type
Detection
Created
Mon Jan 16
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
Raw Tags
attack.exfiltration
View on GitHub