Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detects base64 encoded strings used in hidden malicious PowerShell command lines
Sigma rule (View on GitHub)
1title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
2id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
3status: test
4description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
5references:
6 - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
7author: John Lambert (rule)
8date: 2019-01-16
9modified: 2023-01-05
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\powershell.exe'
20 - '\pwsh.exe'
21 - OriginalFileName:
22 - 'PowerShell.EXE'
23 - 'pwsh.dll'
24 selection_hidden:
25 CommandLine|contains: ' hidden '
26 selection_encoded:
27 CommandLine|contains:
28 - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
29 - 'aXRzYWRtaW4gL3RyYW5zZmVy'
30 - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
31 - 'JpdHNhZG1pbiAvdHJhbnNmZX'
32 - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
33 - 'Yml0c2FkbWluIC90cmFuc2Zlc'
34 - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
35 - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
36 - 'JGNodW5rX3Npem'
37 - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
38 - 'RjaHVua19zaXpl'
39 - 'Y2h1bmtfc2l6Z'
40 - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
41 - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
42 - 'lPLkNvbXByZXNzaW9u'
43 - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
44 - 'SU8uQ29tcHJlc3Npb2'
45 - 'Ty5Db21wcmVzc2lvb'
46 - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
47 - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
48 - 'lPLk1lbW9yeVN0cmVhb'
49 - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
50 - 'SU8uTWVtb3J5U3RyZWFt'
51 - 'Ty5NZW1vcnlTdHJlYW'
52 - '4ARwBlAHQAQwBoAHUAbgBrA'
53 - '5HZXRDaHVua'
54 - 'AEcAZQB0AEMAaAB1AG4Aaw'
55 - 'LgBHAGUAdABDAGgAdQBuAGsA'
56 - 'LkdldENodW5r'
57 - 'R2V0Q2h1bm'
58 - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
59 - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
60 - 'RIUkVBRF9JTkZPNj'
61 - 'SFJFQURfSU5GTzY0'
62 - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
63 - 'VEhSRUFEX0lORk82N'
64 - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
65 - 'cmVhdGVSZW1vdGVUaHJlYW'
66 - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
67 - 'NyZWF0ZVJlbW90ZVRocmVhZ'
68 - 'Q3JlYXRlUmVtb3RlVGhyZWFk'
69 - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
70 - '0AZQBtAG0AbwB2AGUA'
71 - '1lbW1vdm'
72 - 'AGUAbQBtAG8AdgBlA'
73 - 'bQBlAG0AbQBvAHYAZQ'
74 - 'bWVtbW92Z'
75 - 'ZW1tb3Zl'
76 condition: all of selection_*
77falsepositives:
78 - Unknown
79level: high
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files