PowerShell Base64 Encoded FromBase64String Cmdlet

calendar Oct 18, 2023 · attack.defense_evasion attack.t1140 attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

Sigma rule (View on GitHub)

 1title: PowerShell Base64 Encoded FromBase64String Cmdlet
 2id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
 3status: test
 4description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
 5references:
 6    - Internal Research
 7author: Florian Roth (Nextron Systems)
 8date: 2019/08/24
 9modified: 2023/04/06
10tags:
11    - attack.defense_evasion
12    - attack.t1140
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - CommandLine|base64offset|contains: '::FromBase64String'
21        # UTF-16 LE
22        - CommandLine|contains:
23              - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
24              - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
25              - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top