PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
Sigma rule (View on GitHub)
1title: PowerShell Base64 Encoded IEX Cmdlet
2id: 88f680b8-070e-402c-ae11-d2914f2257f1
3status: test
4description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
5references:
6 - Internal Research
7author: Florian Roth (Nextron Systems)
8date: 2019-08-23
9modified: 2023-04-06
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - CommandLine|base64offset|contains:
19 - 'IEX (['
20 - 'iex (['
21 - 'iex (New'
22 - 'IEX (New'
23 - 'IEX(['
24 - 'iex(['
25 - 'iex(New'
26 - 'IEX(New'
27 - "IEX(('"
28 - "iex(('"
29 # UTF16 LE
30 - CommandLine|contains:
31 - 'SQBFAFgAIAAoAFsA'
32 - 'kARQBYACAAKABbA'
33 - 'JAEUAWAAgACgAWw'
34 - 'aQBlAHgAIAAoAFsA'
35 - 'kAZQB4ACAAKABbA'
36 - 'pAGUAeAAgACgAWw'
37 - 'aQBlAHgAIAAoAE4AZQB3A'
38 - 'kAZQB4ACAAKABOAGUAdw'
39 - 'pAGUAeAAgACgATgBlAHcA'
40 - 'SQBFAFgAIAAoAE4AZQB3A'
41 - 'kARQBYACAAKABOAGUAdw'
42 - 'JAEUAWAAgACgATgBlAHcA'
43 condition: selection
44falsepositives:
45 - Unknown
46level: high
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files