PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
Sigma rule (View on GitHub)
1title: PowerShell Base64 Encoded FromBase64String Cmdlet
2id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
3status: test
4description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
5references:
6 - Internal Research
7author: Florian Roth (Nextron Systems)
8date: 2019-08-24
9modified: 2023-04-06
10tags:
11 - attack.defense-evasion
12 - attack.t1140
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - CommandLine|base64offset|contains: '::FromBase64String'
21 # UTF-16 LE
22 - CommandLine|contains:
23 - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
24 - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
25 - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Potential BlackByte Ransomware Activity
- Suspicious XOR Encoded PowerShell Command
- Base64 Encoded PowerShell Command Detected
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Detection of PowerShell Execution via Sqlps.exe