← Back to Explore
sigmahighHunting
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Detection Query
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_cli_enc:
CommandLine|contains: " -e"
selection_cli_invoke:
CommandLine|contains:
- SQBuAHYAbwBrAGUALQ
- kAbgB2AG8AawBlAC0A
- JAG4AdgBvAGsAZQAtA
- SW52b2tlL
- ludm9rZS
- JbnZva2Ut
condition: all of selection_*
Author
pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
Created
2022-05-20
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.executionattack.t1059.001attack.defense-evasionattack.t1027
Raw Content
title: PowerShell Base64 Encoded Invoke Keyword
id: 6385697e-9f1b-40bd-8817-f4a91f40508e
related:
- id: fd6e2919-3936-40c9-99db-0aa922c356f7
type: obsolete
status: test
description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
date: 2022-05-20
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
- attack.defense-evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_enc:
CommandLine|contains: ' -e'
selection_cli_invoke:
CommandLine|contains:
# Invoke-
# UTF-16LE
- 'SQBuAHYAbwBrAGUALQ'
- 'kAbgB2AG8AawBlAC0A'
- 'JAG4AdgBvAGsAZQAtA'
# UTF-8
- 'SW52b2tlL'
- 'ludm9rZS'
- 'JbnZva2Ut'
condition: all of selection_*
falsepositives:
- Unknown
level: high