← Back to Explore
sigmahighHunting
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
Detection Query
selection:
- CommandLine|base64offset|contains:
- IEX ([
- iex ([
- iex (New
- IEX (New
- IEX([
- iex([
- iex(New
- IEX(New
- IEX(('
- iex(('
- CommandLine|contains:
- SQBFAFgAIAAoAFsA
- kARQBYACAAKABbA
- JAEUAWAAgACgAWw
- aQBlAHgAIAAoAFsA
- kAZQB4ACAAKABbA
- pAGUAeAAgACgAWw
- aQBlAHgAIAAoAE4AZQB3A
- kAZQB4ACAAKABOAGUAdw
- pAGUAeAAgACgATgBlAHcA
- SQBFAFgAIAAoAE4AZQB3A
- kARQBYACAAKABOAGUAdw
- JAEUAWAAgACgATgBlAHcA
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2019-08-23
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.001
Raw Content
title: PowerShell Base64 Encoded IEX Cmdlet
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-23
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'IEX (['
- 'iex (['
- 'iex (New'
- 'IEX (New'
- 'IEX(['
- 'iex(['
- 'iex(New'
- 'IEX(New'
- "IEX(('"
- "iex(('"
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
- 'kARQBYACAAKABbA'
- 'JAEUAWAAgACgAWw'
- 'aQBlAHgAIAAoAFsA'
- 'kAZQB4ACAAKABbA'
- 'pAGUAeAAgACgAWw'
- 'aQBlAHgAIAAoAE4AZQB3A'
- 'kAZQB4ACAAKABOAGUAdw'
- 'pAGUAeAAgACgATgBlAHcA'
- 'SQBFAFgAIAAoAE4AZQB3A'
- 'kARQBYACAAKABOAGUAdw'
- 'JAEUAWAAgACgATgBlAHcA'
condition: selection
falsepositives:
- Unknown
level: high