Detectionhightest

Suspicious Encoded PowerShell Command Line

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.communityCreated Mon Sep 03Updated Thu Apr 06ca2092a1-c273-4878-9b4b-0d60115bf5eawindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_enc:
        CommandLine|contains: ' -e' # covers -en and -enc
    selection_cli_content:
        CommandLine|contains:
            - ' JAB'
            - ' SUVYI'
            - ' SQBFAFgA'
            - ' aQBlAHgA'
            - ' aWV4I'
            - ' IAA'
            - ' IAB'
            - ' UwB'
            - ' cwB'
    selection_standalone:
        CommandLine|contains:
            - '.exe -ENCOD '
            - ' BA^J e-' # Reversed
    filter_optional_remote_signed:
        CommandLine|contains: ' -ExecutionPolicy remotesigned '
    condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*