rules/windows/process_creation/proc_creation_win_powershell_encode.yml

title: Suspicious Execution of Powershell with Base64
id: fb843269-508c-4b76-8b8d-88679db22ce7
status: test
description: Commandline to launch powershell with a base64 payload
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets
    - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
    - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
author: frack113
date: 2022-01-02
modified: 2023-01-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - \powershell.exe
            - \pwsh.exe
        CommandLine|contains:
            - ' -e '
            - ' -en '
            - ' -enc '
            - ' -enco'
            - ' -ec '
    filter_encoding:
        CommandLine|contains: ' -Encoding '
    filter_azure:
        ParentImage|contains:
            - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
            - '\gc_worker.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium
chore: test rules: reactivate single value list check 2022-05-10 17:12:43 +02:00			`title: Suspicious Execution of Powershell with Base64`
$frack113$ Windows Redcannary 2022-01-02 10:36:52 +01:00			`id: fb843269-508c-4b76-8b8d-88679db22ce7`
Merge PR #4533 from @nasbench - Promote `experimental` rules 2023-11-02 10:48:45 +01:00			`status: test`
Fix a lot of typos in rules text and comments #Part 3 (#3446 ) 2022-08-30 08:21:25 +02:00			`description: Commandline to launch powershell with a base64 payload`
$frack113$ Windows Redcannary 2022-01-02 10:36:52 +01:00			`references:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets`
Update win_pc_susp_powershell_encode.yml 2022-01-02 15:51:55 +01:00			`- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/`
			`- https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`author: frack113`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-01-02`
			`modified: 2023-01-05`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
$frack113$ Windows Redcannary 2022-01-02 10:36:52 +01:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
New Rules + Update 2022-07-14 17:35:50 +01:00			`Image\|endswith:`
			`- \powershell.exe`
			`- \pwsh.exe`
Update win_pc_susp_powershell_encode.yml 2022-01-02 15:51:55 +01:00			`CommandLine\|contains:`
			`- ' -e '`
			`- ' -en '`
			`- ' -enc '`
			`- ' -enco'`
fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 15:59:07 +01:00			`- ' -ec '`
feat: updates and enhancements 2023-01-06 16:35:34 +01:00			`filter_encoding:`
chore: test rules: reactivate single value list check 2022-05-10 17:12:43 +02:00			`CommandLine\|contains: ' -Encoding '`
fix: FPs with Azure hosts 2022-09-26 23:52:48 +02:00			`filter_azure:`
			`ParentImage\|contains:`
			`- 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'`
			`- '\gc_worker.exe'`
feat: updates and enhancements 2023-01-06 16:35:34 +01:00			`condition: selection and not 1 of filter_*`
$frack113$ Windows Redcannary 2022-01-02 10:36:52 +01:00			`falsepositives:`
			`- Unknown`
			`level: medium`