PowerShell Base64 Encoding

calendar Mar 26, 2024 · attack.execution attack.t1059 attack.t1059.001 attack.defense_evasion attack.t1027  ·
Share on: linkedin copy

This analytic looks for the execution of a process that seems to be powershell.exe along with a corresponding command line containing the term base64. Base64 encoding isn’t inherently suspicious, but it’s worth looking out for in a lot of environments, and the following pseudo-detection logic can help detect a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: PowerShell Base64 Encoding
 2id: df33cc09-ea03-4681-bd6c-b8dba7328a84
 3status: experimental
 4description: |
 5    This analytic looks for the execution of a process that seems to be 
 6    powershell.exe along with a corresponding command line containing the 
 7    term base64. Base64 encoding isn’t inherently suspicious, but it’s worth 
 8    looking out for in a lot of environments, and the following pseudo-detection 
 9    logic can help detect a wide variety of malicious activity. Part of the 
10    RedCanary 2024 Threat Detection Report.    
11references:
12    - https://redcanary.com/threat-detection-report/techniques/powershell/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16    - attack.execution
17    - attack.t1059
18    - attack.t1059.001
19    - attack.defense_evasion
20    - attack.t1027
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\powershell.exe'
27        CommandLine|contains: 'base64'
28    condition: selection
29falsepositives:
30    - Unknown
31level: low```

References

Related rules

to-top