detection.wiki

Detection rules › Sigma

PowerShell Base64 Encoded IEX Cmdlet

Status
test
Severity
high
Log source
product windows, category process_creation
Author
Florian Roth (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects usage of a base64 encoded "IEX" cmdlet in a process command line

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Rule body yaml

title: PowerShell Base64 Encoded IEX Cmdlet
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-23
modified: 2023-04-06
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|base64offset|contains:
              - 'IEX (['
              - 'iex (['
              - 'iex (New'
              - 'IEX (New'
              - 'IEX(['
              - 'iex(['
              - 'iex(New'
              - 'IEX(New'
              - "IEX(('"
              - "iex(('"
        # UTF16 LE
        - CommandLine|contains:
              - 'SQBFAFgAIAAoAFsA'
              - 'kARQBYACAAKABbA'
              - 'JAEUAWAAgACgAWw'
              - 'aQBlAHgAIAAoAFsA'
              - 'kAZQB4ACAAKABbA'
              - 'pAGUAeAAgACgAWw'
              - 'aQBlAHgAIAAoAE4AZQB3A'
              - 'kAZQB4ACAAKABOAGUAdw'
              - 'pAGUAeAAgACgATgBlAHcA'
              - 'SQBFAFgAIAAoAE4AZQB3A'
              - 'kARQBYACAAKABOAGUAdw'
              - 'JAEUAWAAgACgATgBlAHcA'
    condition: selection
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    - CommandLine|base64offset|contains:
          - 'IEX (['
          - 'iex (['
          - 'iex (New'
          - 'IEX (New'
          - 'IEX(['
          - 'iex(['
          - 'iex(New'
          - 'IEX(New'
          - "IEX(('"
          - "iex(('"
    - CommandLine|contains:
          - 'SQBFAFgAIAAoAFsA'
          - 'kARQBYACAAKABbA'
          - 'JAEUAWAAgACgAWw'
          - 'aQBlAHgAIAAoAFsA'
          - 'kAZQB4ACAAKABbA'
          - 'pAGUAeAAgACgAWw'
          - 'aQBlAHgAIAAoAE4AZQB3A'
          - 'kAZQB4ACAAKABOAGUAdw'
          - 'pAGUAeAAgACgATgBlAHcA'
          - 'SQBFAFgAIAAoAE4AZQB3A'
          - 'kARQBYACAAKABOAGUAdw'
          - 'JAEUAWAAgACgATgBlAHcA'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • IEX (New transforms: base64offset
  • IEX ([ transforms: base64offset
  • IEX((' transforms: base64offset
  • IEX(New transforms: base64offset
  • IEX([ transforms: base64offset
  • JAEUAWAAgACgATgBlAHcA
  • JAEUAWAAgACgAWw
  • SQBFAFgAIAAoAE4AZQB3A
  • SQBFAFgAIAAoAFsA
  • aQBlAHgAIAAoAE4AZQB3A
  • aQBlAHgAIAAoAFsA
  • iex (New transforms: base64offset
  • iex ([ transforms: base64offset
  • iex((' transforms: base64offset
  • iex(New transforms: base64offset
  • iex([ transforms: base64offset
  • kARQBYACAAKABOAGUAdw
  • kARQBYACAAKABbA
  • kAZQB4ACAAKABOAGUAdw
  • kAZQB4ACAAKABbA
  • pAGUAeAAgACgATgBlAHcA
  • pAGUAeAAgACgAWw