Detection rules › Splunk
Powershell Fileless Script Contains Base64 Encoded Content
The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of FromBase64String. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Stealth | T1027 Obfuscated Files or Information |
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body splunk
name: Powershell Fileless Script Contains Base64 Encoded Content
id: 8acbc04c-c882-11eb-b060-acde48001122
version: 20
creation_date: '2021-06-09'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.
data_source:
- Powershell Script Block Logging 4104
search: "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\"\n | fillnull\n | stats count min(_time) as firstTime max(_time) as lastTime\n BY dest signature signature_id\n user_id vendor_product EventID\n Guid Opcode Name\n Path ProcessID ScriptBlockId\n ScriptBlockText\n | `security_content_ctime(firstTime)`\n | `security_content_ctime(lastTime)`\n | `powershell_fileless_script_contains_base64_encoded_content_filter`"
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: False positives should be limited. Filter as needed.
references:
- https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: '0'
finding:
title: A suspicious powershell script contains base64 command on host $dest$
entity:
field: dest
type: system
score: 50
analytic_story:
- Winter Vivern
- Malicious PowerShell
- Medusa Ransomware
- Data Destruction
- NjRAT
- AsyncRAT
- Hermetic Wiper
- IcedID
- XWorm
- 0bj3ctivity Stealer
- APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
- Hellcat Ransomware
- Microsoft WSUS CVE-2025-59287
- NetSupport RMM Tool Abuse
- MuddyWater
- Axios Supply Chain Post Compromise
- VIP Keylogger
asset_type: Endpoint
mitre_attack_id:
- T1027
- T1059.001
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog
test_type: unit
Stages and Predicates
Stage 1: search
`powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*"
Stage 2: fillnull
| fillnull
Stage 3: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
Stage 4: search
| `security_content_ctime(firstTime)`
Stage 5: search
| `security_content_ctime(lastTime)`
Stage 6: search
| `powershell_fileless_script_contains_base64_encoded_content_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ScriptBlockText | eq |
|