Suspicious Encoded PowerShell Command Line

calendar Oct 18, 2023 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

Sigma rule (View on GitHub)

 1title: Suspicious Encoded PowerShell Command Line
 2id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
 3status: test
 4description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
 5references:
 6    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
 7author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
 8date: 2018/09/03
 9modified: 2023/04/06
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith:
19              - '\powershell.exe'
20              - '\pwsh.exe'
21        - OriginalFileName:
22              - 'PowerShell.EXE'
23              - 'pwsh.dll'
24    selection_cli_enc:
25        CommandLine|contains: ' -e' # covers -en and -enc
26    selection_cli_content:
27        CommandLine|contains:
28            - ' JAB'
29            - ' SUVYI'
30            - ' SQBFAFgA'
31            - ' aQBlAHgA'
32            - ' aWV4I'
33            - ' IAA'
34            - ' IAB'
35            - ' UwB'
36            - ' cwB'
37    selection_standalone:
38        CommandLine|contains:
39            - '.exe -ENCOD '
40            - ' BA^J e-' # Reversed
41    filter_optional_remote_signed:
42        CommandLine|contains: ' -ExecutionPolicy remotesigned '
43    condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*
44level: high

References

Related rules

to-top