hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md

# Suspicious Base64 Encoded Powershell Command

---

## Metadata

- **Author:** Elastic
- **Description:** This hunt identifies base64 encoded powershell commands in process start events and filters ones with suspicious keywords like downloaders and evasion related commands.

- **UUID:** `2e583d3c-7ad6-4544-a0db-c685b2066493`
- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system)
- **Language:** `[ES|QL]`
- **Source File:** [Suspicious Base64 Encoded Powershell Command](../queries/suspicious_base64_encoded_powershell_commands.toml)

## Query

```sql
from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*
| where host.os.type == "windows" and event.category == "process" and event.type == "start" and TO_LOWER(process.name) == "powershell.exe" and process.command_line rlike ".+ -(e|E).*"
| keep agent.id, process.command_line
 /* simplified regex to extract base64 encoded blob */
| grok process.command_line """(?<base64_data>([A-Za-z0-9+/]+={1,2}$|[A-Za-z0-9+/]{100,}))"""
| where base64_data is not null
 /* base64 decode added in 8.14 */
| eval decoded_base64_cmdline = replace(TO_LOWER(FROM_BASE64(base64_data)), """\u0000""", "")
 /* most common suspicious keywords, you can add more patterns here */
| where decoded_base64_cmdline rlike """.*(http|webclient|download|mppreference|sockets|bxor|.replace|reflection|assembly|load|bits|start-proc|iwr|frombase64).*"""
| keep agent.id, process.command_line, decoded_base64_cmdline
```

## Notes

- This hunt can be expanded to include more evasion techniques and downloaders.
- Pivoting by `agent.id` can provide more context on the affected hosts.

## MITRE ATT&CK Techniques

- [T1059](https://attack.mitre.org/techniques/T1059)
- [T1059.001](https://attack.mitre.org/techniques/T1059/001)
- [T1027](https://attack.mitre.org/techniques/T1027)
- [T1027.010](https://attack.mitre.org/techniques/T1027/010)

## License

- `Elastic License v2`
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) 2024-06-25 09:35:36 -04:00			`# Suspicious Base64 Encoded Powershell Command`
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00
			`---`

			`## Metadata`

			`- Author: Elastic`
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) 2024-06-25 09:35:36 -04:00			`- Description: This hunt identifies base64 encoded powershell commands in process start events and filters ones with suspicious keywords like downloaders and evasion related commands.`

[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			- UUID: `2e583d3c-7ad6-4544-a0db-c685b2066493`
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00			`- Integration: [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system)`
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			- Language: `[ES\|QL]`
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00			`- Source File: [Suspicious Base64 Encoded Powershell Command](../queries/suspicious_base64_encoded_powershell_commands.toml)`
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00
			`## Query`

			```sql
			`from logs-endpoint.events.process-, logs-windows.sysmon_operational-, logs-system.security-*`
			`\| where host.os.type == "windows" and event.category == "process" and event.type == "start" and TO_LOWER(process.name) == "powershell.exe" and process.command_line rlike ".+ -(e\|E).*"`
			`\| keep agent.id, process.command_line`
			`/* simplified regex to extract base64 encoded blob */`
			`\| grok process.command_line """(?<base64_data>([A-Za-z0-9+/]+={1,2}$\|[A-Za-z0-9+/]{100,}))"""`
			`\| where base64_data is not null`
			`/* base64 decode added in 8.14 */`
			`\| eval decoded_base64_cmdline = replace(TO_LOWER(FROM_BASE64(base64_data)), """\u0000""", "")`
			`/* most common suspicious keywords, you can add more patterns here */`
			`\| where decoded_base64_cmdline rlike """.(http\|webclient\|download\|mppreference\|sockets\|bxor\|.replace\|reflection\|assembly\|load\|bits\|start-proc\|iwr\|frombase64)."""`
			`\| keep agent.id, process.command_line, decoded_base64_cmdline`
			```

			`## Notes`

[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) 2024-06-25 09:35:36 -04:00			`- This hunt can be expanded to include more evasion techniques and downloaders.`
			- Pivoting by `agent.id` can provide more context on the affected hosts.
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00			`## MITRE ATT&CK Techniques`

			`- [T1059](https://attack.mitre.org/techniques/T1059)`
			`- [T1059.001](https://attack.mitre.org/techniques/T1059/001)`
			`- [T1027](https://attack.mitre.org/techniques/T1027)`
			`- [T1027.010](https://attack.mitre.org/techniques/T1027/010)`

			`## License`

			- `Elastic License v2`