Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Sigma rule (View on GitHub)
1title: Base64 Encoded PowerShell Command Detected
2id: e32d4572-9826-4738-b651-95fa63747e8a
3status: test
4description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
5references:
6 - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
7author: Florian Roth (Nextron Systems)
8date: 2020-01-29
9modified: 2023-01-26
10tags:
11 - attack.t1027
12 - attack.defense-evasion
13 - attack.t1140
14 - attack.t1059.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains: '::FromBase64String('
21 condition: selection
22falsepositives:
23 - Administrative script libraries
24level: high
References
-
Learning Aid - Top Base64 Encodings Table. GitHub Gist: instantly share code, notes, and snippets.
Read More
Related rules
- Suspicious XOR Encoded PowerShell Command
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module