Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Sigma rule (View on GitHub)
1title: Base64 Encoded PowerShell Command Detected
2id: e32d4572-9826-4738-b651-95fa63747e8a
3status: test
4description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
5references:
6 - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
7author: Florian Roth (Nextron Systems)
8date: 2020/01/29
9modified: 2023/01/26
10tags:
11 - attack.t1027
12 - attack.defense_evasion
13 - attack.t1140
14 - attack.t1059.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains: '::FromBase64String('
21 condition: selection
22falsepositives:
23 - Administrative script libraries
24level: high
References
-
Learning Aid - Top Base64 Encodings Table. GitHub Gist: instantly share code, notes, and snippets.
Read More
Related rules
- PowerShell -encodedcommand Switch
- Base64 Encoding in CMD or Powershell
- PowerShell Base64 Encoding
- Potential Winnti Dropper Activity
- NTFS Alternate Data Stream