Malicious Base64 Encoded PowerShell Keywords in Command Lines

calendar Feb 12, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects base64 encoded strings used in hidden malicious PowerShell command lines

Sigma rule (View on GitHub)

 1title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
 2id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
 3status: test
 4description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
 5references:
 6    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
 7author: John Lambert (rule)
 8date: 2019/01/16
 9modified: 2023/01/05
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith:
19              - '\powershell.exe'
20              - '\pwsh.exe'
21        - OriginalFileName:
22              - 'PowerShell.EXE'
23              - 'pwsh.dll'
24    selection_hidden:
25        CommandLine|contains: ' hidden '
26    selection_encoded:
27        CommandLine|contains:
28            - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
29            - 'aXRzYWRtaW4gL3RyYW5zZmVy'
30            - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
31            - 'JpdHNhZG1pbiAvdHJhbnNmZX'
32            - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
33            - 'Yml0c2FkbWluIC90cmFuc2Zlc'
34            - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
35            - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
36            - 'JGNodW5rX3Npem'
37            - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
38            - 'RjaHVua19zaXpl'
39            - 'Y2h1bmtfc2l6Z'
40            - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
41            - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
42            - 'lPLkNvbXByZXNzaW9u'
43            - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
44            - 'SU8uQ29tcHJlc3Npb2'
45            - 'Ty5Db21wcmVzc2lvb'
46            - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
47            - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
48            - 'lPLk1lbW9yeVN0cmVhb'
49            - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
50            - 'SU8uTWVtb3J5U3RyZWFt'
51            - 'Ty5NZW1vcnlTdHJlYW'
52            - '4ARwBlAHQAQwBoAHUAbgBrA'
53            - '5HZXRDaHVua'
54            - 'AEcAZQB0AEMAaAB1AG4Aaw'
55            - 'LgBHAGUAdABDAGgAdQBuAGsA'
56            - 'LkdldENodW5r'
57            - 'R2V0Q2h1bm'
58            - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
59            - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
60            - 'RIUkVBRF9JTkZPNj'
61            - 'SFJFQURfSU5GTzY0'
62            - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
63            - 'VEhSRUFEX0lORk82N'
64            - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
65            - 'cmVhdGVSZW1vdGVUaHJlYW'
66            - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
67            - 'NyZWF0ZVJlbW90ZVRocmVhZ'
68            - 'Q3JlYXRlUmVtb3RlVGhyZWFk'
69            - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
70            - '0AZQBtAG0AbwB2AGUA'
71            - '1lbW1vdm'
72            - 'AGUAbQBtAG8AdgBlA'
73            - 'bQBlAG0AbQBvAHYAZQ'
74            - 'bWVtbW92Z'
75            - 'ZW1tb3Zl'
76    condition: all of selection_*
77falsepositives:
78    - Unknown
79level: high

References

Related rules

to-top