Suspicious Execution of Powershell with Base64
Commandline to launch powershell with a base64 payload
Sigma rule (View on GitHub)
1title: Suspicious Execution of Powershell with Base64
2id: fb843269-508c-4b76-8b8d-88679db22ce7
3status: test
4description: Commandline to launch powershell with a base64 payload
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets
7 - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
8 - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
9author: frack113
10date: 2022-01-02
11modified: 2023-01-05
12tags:
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith:
21 - \powershell.exe
22 - \pwsh.exe
23 CommandLine|contains:
24 - ' -e '
25 - ' -en '
26 - ' -enc '
27 - ' -enco'
28 - ' -ec '
29 filter_encoding:
30 CommandLine|contains: ' -Encoding '
31 filter_azure:
32 ParentImage|contains:
33 - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
34 - '\gc_worker.exe'
35 condition: selection and not 1 of filter_*
36falsepositives:
37 - Unknown
38level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
A note to readers: The code samples included within this blog post may trigger alerts from your security software. Please note that this does not indicate
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell