Base64 Encoding in CMD or Powershell
Looks for the execution of cmd.exe or powershell.exe with command lines that includes the term base64. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Base64 Encoding in CMD or Powershell
2id: 1b5f1187-7010-4f58-b6a3-2b762d594b90
3status: experimental
4description: Looks for the execution of cmd.exe or powershell.exe with command lines
5 that includes the term base64. Inspired by the 2022 Red Canary Threat Detection
6 report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/
9author: Micah Babinski
10date: 2022/11/04
11tags:
12 - attack.defense_evasion
13 - attack.t1140
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith:
22 - '\powershell.exe'
23 - '\cmd.exe'
24 CommandLine|contains: 'base64'
25 condition: selection
26falsepositives:
27 - Windows Config Manager (https://wtfbins.wtf/1)
28level: high```
References
-
Obfuscated files or information empower adversaries to perform malicious actions that would be trivial to prevent, detect, or mitigate.
Read More
Related rules
- PowerShell Base64 Encoding
- Command Shell Obfuscated Commands
- Gootloader Stage 2 Registry Key Creation
- Powershell Obfuscation and Escape Characters
- Suspicious Powershell Cmdlets