Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Sigma rule (View on GitHub)
1title: Base64 Encoded PowerShell Command Detected
2id: e32d4572-9826-4738-b651-95fa63747e8a
3status: test
4description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
5references:
6 - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
7author: Florian Roth (Nextron Systems)
8date: 2020-01-29
9modified: 2023-01-26
10tags:
11 - attack.t1027
12 - attack.defense-evasion
13 - attack.execution
14 - attack.t1140
15 - attack.t1059.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains: '::FromBase64String('
22 condition: selection
23falsepositives:
24 - Administrative script libraries
25level: high
References
-
Learning Aid - Top Base64 Encodings Table. GitHub Gist: instantly share code, notes, and snippets.
Read More
Related rules
- Suspicious XOR Encoded PowerShell Command
- Potential BlackByte Ransomware Activity
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell