title: FromBase64String Command Line
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects suspicious FromBase64String expressions in command line arguments
author: Florian Roth
references:
  - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
date: 2020/01/29
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains: '::FromBase64String('
  condition: selection
falsepositives:
  - Administrative script libraries
level: high
tags:
  - attack.t1027
  - attack.defense_evasion
  - attack.t1140
  - attack.t1059.001