Detection rules › Sigma
Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detects base64 encoded strings used in hidden malicious PowerShell command lines
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll
Stage 2: all of selection_hidden
CommandLine|contains: ' hidden '
Stage 3: all of selection_encoded
or:
CommandLine|contains: 0AZQBtAG0AbwB2AGUA
CommandLine|contains: 1lbW1vdm
CommandLine|contains: 4ARwBlAHQAQwBoAHUAbgBrA
CommandLine|contains: 5HZXRDaHVua
CommandLine|contains: 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
CommandLine|contains: 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
CommandLine|contains: AEcAZQB0AEMAaAB1AG4Aaw
CommandLine|contains: 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
CommandLine|contains: AGMAaAB1AG4AawBfAHMAaQB6AGUA
CommandLine|contains: AGUAbQBtAG8AdgBlA
CommandLine|contains: 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
CommandLine|contains: 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
CommandLine|contains: 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
CommandLine|contains: JABjAGgAdQBuAGsAXwBzAGkAegBlA
CommandLine|contains: JGNodW5rX3Npem
CommandLine|contains: JpdHNhZG1pbiAvdHJhbnNmZX
CommandLine|contains: LgBHAGUAdABDAGgAdQBuAGsA
CommandLine|contains: LkdldENodW5r
CommandLine|contains: 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
CommandLine|contains: NyZWF0ZVJlbW90ZVRocmVhZ
CommandLine|contains: Q3JlYXRlUmVtb3RlVGhyZWFk
CommandLine|contains: 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
CommandLine|contains: QAYwBoAHUAbgBrAF8AcwBpAHoAZQ
CommandLine|contains: 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
CommandLine|contains: R2V0Q2h1bm
CommandLine|contains: RIUkVBRF9JTkZPNj
CommandLine|contains: RjaHVua19zaXpl
CommandLine|contains: SFJFQURfSU5GTzY0
CommandLine|contains: 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
CommandLine|contains: 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
CommandLine|contains: SU8uQ29tcHJlc3Npb2
CommandLine|contains: SU8uTWVtb3J5U3RyZWFt
CommandLine|contains: Ty5Db21wcmVzc2lvb
CommandLine|contains: Ty5NZW1vcnlTdHJlYW
CommandLine|contains: 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
CommandLine|contains: VEhSRUFEX0lORk82N
CommandLine|contains: Y2h1bmtfc2l6Z
CommandLine|contains: 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
CommandLine|contains: Yml0c2FkbWluIC90cmFuc2Zlc
CommandLine|contains: ZW1tb3Zl
CommandLine|contains: aXRzYWRtaW4gL3RyYW5zZmVy
CommandLine|contains: bQBlAG0AbQBvAHYAZQ
CommandLine|contains: bWVtbW92Z
CommandLine|contains: cmVhdGVSZW1vdGVUaHJlYW
CommandLine|contains: 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
CommandLine|contains: 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
CommandLine|contains: lPLk1lbW9yeVN0cmVhb
CommandLine|contains: lPLkNvbXByZXNzaW9u
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|