Obfuscation and Escape Characters - Powershell

calendar Mar 26, 2024 · attack.execution attack.t1059 attack.t1059.001 attack.defense_evasion attack.t1027  ·
Share on: linkedin copy

This analytic looks for the execution of a process that seems to be powershell.exe along with a corresponding command line containing the term base64. Base64 encoding isn’t inherently suspicious, but it’s worth looking out for in a lot of environments, and the following pseudo-detection logic can help detect a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Obfuscation and Escape Characters - Powershell
 2id: b47fccc1-8407-4fca-ae31-ef49d0ae0410
 3status: experimental
 4description: |
 5    This analytic looks for the execution of a process that seems to be 
 6    powershell.exe along with a corresponding command line containing the 
 7    term base64. Base64 encoding isn’t inherently suspicious, but it’s worth 
 8    looking out for in a lot of environments, and the following pseudo-detection 
 9    logic can help detect a wide variety of malicious activity. Part of the 
10    RedCanary 2024 Threat Detection Report.    
11references:
12    - https://redcanary.com/threat-detection-report/techniques/powershell/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16    - attack.execution
17    - attack.t1059
18    - attack.t1059.001
19    - attack.defense_evasion
20    - attack.t1027
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\powershell.exe'
27        # regex below looks for eight or more total instances of the suspicious characters
28        CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$'
29    condition: selection
30falsepositives:
31    - Unknown
32level: low```

References

Related rules

to-top