title: Suspicious Encoded PowerShell Command Line
id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
status: experimental
references:
    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth, Markus Neis
date: 2018/09/03
modified: 2019/12/16
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086      # an old one
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -e'
            - ' -en'
            - ' -enc'
            - ' -w hidden -e'
    selection2:
            - 'JAB'
    selection3:
            - '-e'
            - '-enc'
    selection4:
            - ' BA^J'
            - ' SUVYI'
            - ' aWV4I'
            - ' SQBFAFgA'
            - ' aQBlAHgA'
            - ' SUVYI'
            - ' aWV4I'
            - ' SQBFAFgA'
            - ' aQBlAHgA'
    falsepositive1:
        CommandLine|contains: ' -ExecutionPolicy remotesigned '
    condition: (selection and selection2) or (selection3 and selection4) and not falsepositive1
level: high