Suspicious Encoded PowerShell Command Line
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
Sigma rule (View on GitHub)
1title: Suspicious Encoded PowerShell Command Line
2id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
3status: test
4description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
5references:
6 - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
7author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
8date: 2018-09-03
9modified: 2023-04-06
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\powershell.exe'
20 - '\pwsh.exe'
21 - OriginalFileName:
22 - 'PowerShell.EXE'
23 - 'pwsh.dll'
24 selection_cli_enc:
25 CommandLine|contains: ' -e' # covers -en and -enc
26 selection_cli_content:
27 CommandLine|contains:
28 - ' JAB'
29 - ' SUVYI'
30 - ' SQBFAFgA'
31 - ' aQBlAHgA'
32 - ' aWV4I'
33 - ' IAA'
34 - ' IAB'
35 - ' UwB'
36 - ' cwB'
37 selection_standalone:
38 CommandLine|contains:
39 - '.exe -ENCOD '
40 - ' BA^J e-' # Reversed
41 filter_optional_remote_signed:
42 CommandLine|contains: ' -ExecutionPolicy remotesigned '
43 condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*
44level: high
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell