PowerShell Base64 Encoding
Looks for the execution of powershell.exe with command lines that includes the term base64. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: PowerShell Base64 Encoding
2id: 1d3025d2-f965-42e2-8256-adaa1054613d
3status: experimental
4description: Looks for the execution of powershell.exe with command lines that includes
5 the term base64. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/powershell/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.defense_evasion
12 - attack.t1140
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains: 'base64'
21 Image|endswith: '\powershell.exe'
22 condition: selection
23falsepositives:
24 - Windows Config Manager (https://wtfbins.wtf/1)
25level: high```
References
-
PowerShell reclaimed its place as the most prevalent technique we detected in 2023, as adversaries continue to abuse the framework.
Read More
Related rules
- Base64 Encoding in CMD or Powershell
- Command Shell Obfuscated Commands
- Gootloader Stage 2 Registry Key Creation
- Powershell Obfuscation and Escape Characters
- Suspicious Powershell Cmdlets