Detectionhightest

Base64 Encoded PowerShell Command Detected

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Wed Jan 29Updated Thu Jan 26e32d4572-9826-4738-b651-95fa63747e8awindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains: '::FromBase64String('
    condition: selection

False Positives

Administrative script libraries

References

MITRE ATT&CK

Tactics

Techniques

Sub-techniques

Rule Metadata

Rule ID

e32d4572-9826-4738-b651-95fa63747e8a

Status

test

Level

high

Type

Detection

Created

Wed Jan 29

Modified

Thu Jan 26

Author

Path

rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml

Raw Tags

attack.t1027attack.defense-evasionattack.executionattack.t1140attack.t1059.001