Powershell Base64 Encoding (RedCanary Threat Detection Report)
Detects the execution of powershell.exe with base64 Option. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Powershell Base64 Encoding (RedCanary Threat Detection Report)
2id: 4becc177-8fc7-40b4-aa12-ee55202bbe95
3status: experimental
4description: Detects the execution of powershell.exe with base64 Option. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/powershell/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1059.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\powershell.exe'
18 CommandLine|contains: 'base64'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
PowerShell reclaimed its place as the most prevalent technique we detected in 2023, as adversaries continue to abuse the framework.
Read More
Related rules
- Powershell Encoded Command Switch (RedCanary Threat Detection Report)
- Powershell Obfuscated Commands (RedCanary Threat Detection Report)
- Suspicious Powershell Commandlets (RedCanary Threat Detection Report)
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION