Malicious Base64 Encoded PowerShell Keywords in Command Lines

Status: test
Severity: high
Log source: product windows, category process_creation
Author: John Lambert (rule)
Source: github.com/SigmaHQ/sigma

Detects base64 encoded strings used in hidden malicious PowerShell command lines

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell

Event coverage

Provider	Event	Title
Sysmon	Event ID 1	Process creation

Rule body yaml

title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
status: test
description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
references:
    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
author: John Lambert (rule)
date: 2019-01-16
modified: 2023-01-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_hidden:
        CommandLine|contains: ' hidden '
    selection_encoded:
        CommandLine|contains:
            - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
            - 'aXRzYWRtaW4gL3RyYW5zZmVy'
            - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
            - 'JpdHNhZG1pbiAvdHJhbnNmZX'
            - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
            - 'Yml0c2FkbWluIC90cmFuc2Zlc'
            - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
            - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
            - 'JGNodW5rX3Npem'
            - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
            - 'RjaHVua19zaXpl'
            - 'Y2h1bmtfc2l6Z'
            - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
            - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
            - 'lPLkNvbXByZXNzaW9u'
            - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
            - 'SU8uQ29tcHJlc3Npb2'
            - 'Ty5Db21wcmVzc2lvb'
            - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
            - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
            - 'lPLk1lbW9yeVN0cmVhb'
            - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
            - 'SU8uTWVtb3J5U3RyZWFt'
            - 'Ty5NZW1vcnlTdHJlYW'
            - '4ARwBlAHQAQwBoAHUAbgBrA'
            - '5HZXRDaHVua'
            - 'AEcAZQB0AEMAaAB1AG4Aaw'
            - 'LgBHAGUAdABDAGgAdQBuAGsA'
            - 'LkdldENodW5r'
            - 'R2V0Q2h1bm'
            - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
            - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
            - 'RIUkVBRF9JTkZPNj'
            - 'SFJFQURfSU5GTzY0'
            - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
            - 'VEhSRUFEX0lORk82N'
            - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
            - 'cmVhdGVSZW1vdGVUaHJlYW'
            - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
            - 'NyZWF0ZVJlbW90ZVRocmVhZ'
            - 'Q3JlYXRlUmVtb3RlVGhyZWFk'
            - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
            - '0AZQBtAG0AbwB2AGUA'
            - '1lbW1vdm'
            - 'AGUAbQBtAG8AdgBlA'
            - 'bQBlAG0AbQBvAHYAZQ'
            - 'bWVtbW92Z'
            - 'ZW1tb3Zl'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: `condition`

all of selection_*

Stage 1: `selection_img`

selection_img:
    - Image|endswith:
          - '\powershell.exe'
          - '\pwsh.exe'
    - OriginalFileName:
          - 'PowerShell.EXE'
          - 'pwsh.dll'

Stage 2: `selection_hidden`

selection_hidden:
    CommandLine|contains: ' hidden '

Stage 3: `selection_encoded`

selection_encoded:
    CommandLine|contains:
        - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
        - 'aXRzYWRtaW4gL3RyYW5zZmVy'
        - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
        - 'JpdHNhZG1pbiAvdHJhbnNmZX'
        - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
        - 'Yml0c2FkbWluIC90cmFuc2Zlc'
        - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
        - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
        - 'JGNodW5rX3Npem'
        - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
        - 'RjaHVua19zaXpl'
        - 'Y2h1bmtfc2l6Z'
        - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
        - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
        - 'lPLkNvbXByZXNzaW9u'
        - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
        - 'SU8uQ29tcHJlc3Npb2'
        - 'Ty5Db21wcmVzc2lvb'
        - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
        - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
        - 'lPLk1lbW9yeVN0cmVhb'
        - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
        - 'SU8uTWVtb3J5U3RyZWFt'
        - 'Ty5NZW1vcnlTdHJlYW'
        - '4ARwBlAHQAQwBoAHUAbgBrA'
        - '5HZXRDaHVua'
        - 'AEcAZQB0AEMAaAB1AG4Aaw'
        - 'LgBHAGUAdABDAGgAdQBuAGsA'
        - 'LkdldENodW5r'
        - 'R2V0Q2h1bm'
        - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
        - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
        - 'RIUkVBRF9JTkZPNj'
        - 'SFJFQURfSU5GTzY0'
        - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
        - 'VEhSRUFEX0lORk82N'
        - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
        - 'cmVhdGVSZW1vdGVUaHJlYW'
        - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
        - 'NyZWF0ZVJlbW90ZVRocmVhZ'
        - 'Q3JlYXRlUmVtb3RlVGhyZWFk'
        - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
        - '0AZQBtAG0AbwB2AGUA'
        - '1lbW1vdm'
        - 'AGUAbQBtAG8AdgBlA'
        - 'bQBlAG0AbQBvAHYAZQ'
        - 'bWVtbW92Z'
        - 'ZW1tb3Zl'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`hidden` `0AZQBtAG0AbwB2AGUA` `1lbW1vdm` `4ARwBlAHQAQwBoAHUAbgBrA` `5HZXRDaHVua` `AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A` `AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ` `AEcAZQB0AEMAaAB1AG4Aaw` `AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A` `AGMAaAB1AG4AawBfAHMAaQB6AGUA` `AGUAbQBtAG8AdgBlA` `AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA` `AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA` `IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA` `JABjAGgAdQBuAGsAXwBzAGkAegBlA` `JGNodW5rX3Npem` `JpdHNhZG1pbiAvdHJhbnNmZX` `LgBHAGUAdABDAGgAdQBuAGsA` `LkdldENodW5r` `MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA` `NyZWF0ZVJlbW90ZVRocmVhZ` `Q3JlYXRlUmVtb3RlVGhyZWFk` `QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA` `QAYwBoAHUAbgBrAF8AcwBpAHoAZQ` `QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA` `R2V0Q2h1bm` `RIUkVBRF9JTkZPNj` `RjaHVua19zaXpl` `SFJFQURfSU5GTzY0` `SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA` `SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A` `SU8uQ29tcHJlc3Npb2` `SU8uTWVtb3J5U3RyZWFt` `Ty5Db21wcmVzc2lvb` `Ty5NZW1vcnlTdHJlYW` `VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA` `VEhSRUFEX0lORk82N` `Y2h1bmtfc2l6Z` `YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg` `Yml0c2FkbWluIC90cmFuc2Zlc` `ZW1tb3Zl` `aXRzYWRtaW4gL3RyYW5zZmVy` `bQBlAG0AbQBvAHYAZQ` `bWVtbW92Z` `cmVhdGVSZW1vdGVUaHJlYW` `kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA` `kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg` `lPLk1lbW9yeVN0cmVhb` `lPLkNvbXByZXNzaW9u`
`Image`	ends_with	`\powershell.exe` corpus 182 (sigma 182) `\pwsh.exe` corpus 168 (sigma 168)
`OriginalFileName`	eq	`PowerShell.EXE` corpus 120 (sigma 84, splunk 30, elastic 6) `pwsh.dll` corpus 112 (sigma 79, splunk 30, elastic 3)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Malicious Base64 Encoded PowerShell Keywords in Command Lines

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection_img`

Stage 2: `selection_hidden`

Stage 3: `selection_encoded`

Indicators

Keyboard shortcuts

Search operators

Malicious Base64 Encoded PowerShell Keywords in Command Lines

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection_img

Stage 2: selection_hidden

Stage 3: selection_encoded

Indicators

Stage 0: `condition`

Stage 1: `selection_img`

Stage 2: `selection_hidden`

Stage 3: `selection_encoded`