title: Encoded IEX
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects a base64 encoded IEX command string in a process command line
author: Florian Roth
date: 2019/08/23
modified: 2022/03/07
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - CommandLine|base64offset|contains:
      - 'IEX (['
      - 'iex (['
      - 'iex (New'
      - 'IEX (New'
    # UTF16 LE
    - CommandLine|contains:
      - 'SQBFAFgAIAAoAFsA'
      - 'kARQBYACAAKABbA'
      - 'JAEUAWAAgACgAWw'
      - 'aQBlAHgAIAAoAFsA'
      - 'kAZQB4ACAAKABbA'
      - 'pAGUAeAAgACgAWw'
      - 'aQBlAHgAIAAoAE4AZQB3A'
      - 'kAZQB4ACAAKABOAGUAdw'
      - 'pAGUAeAAgACgATgBlAHcA'
      - 'SQBFAFgAIAAoAE4AZQB3A'
      - 'kARQBYACAAKABOAGUAdw'
      - 'JAEUAWAAgACgATgBlAHcA'
  condition: selection
fields:
  - CommandLine
  - ParentCommandLine
falsepositives:
  - Unknown
level: critical
tags:
  - attack.execution
  - attack.t1059.001