Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

PowerShell Base64 Encoded Invoke Keyword

Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Martin Mueller, Harjot SinghCreated Fri May 20Updated Thu Apr 066385697e-9f1b-40bd-8817-f4a91f40508ewindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_enc:
        CommandLine|contains: ' -e'
    selection_cli_invoke:
        CommandLine|contains:
            # Invoke-
            # UTF-16LE
            - 'SQBuAHYAbwBrAGUALQ'
            - 'kAbgB2AG8AawBlAC0A'
            - 'JAG4AdgBvAGsAZQAtA'
            # UTF-8
            - 'SW52b2tlL'
            - 'ludm9rZS'
            - 'JbnZva2Ut'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
thedfirreport.com
MITRE ATT&CK
Related Rules
Similar

fd6e2919-3936-40c9-99db-0aa922c356f7

Rule not found
Rule Metadata
Rule ID
6385697e-9f1b-40bd-8817-f4a91f40508e
Status
test
Level
high
Type
Detection
Created
Fri May 20
Modified
Thu Apr 06
Author
Martin Mueller, Harjot Singh
Path
rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml
Raw Tags
attack.executionattack.t1059.001attack.defense-evasionattack.t1027
View on GitHub