Powershell Fileless Script Contains Base64 Encoded Content

name: Powershell Fileless Script Contains Base64 Encoded Content
id: 8acbc04c-c882-11eb-b060-acde48001122
version: 18
date: '2026-04-16'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
    - Powershell Script Block Logging 4104
description: The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.
search: "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\"\n  | fillnull\n  | stats count min(_time) as firstTime max(_time) as lastTime\n    BY dest signature signature_id\n       user_id vendor_product EventID\n       Guid Opcode Name\n       Path ProcessID ScriptBlockId\n       ScriptBlockText\n  | `security_content_ctime(firstTime)`\n  | `security_content_ctime(lastTime)`\n  | `powershell_fileless_script_contains_base64_encoded_content_filter`"
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: False positives should be limited. Filter as needed.
references:
    - https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
    - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
    - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
    - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: '0'
rba:
    message: A suspicious powershell script contains base64 command on host $dest$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Winter Vivern
        - Malicious PowerShell
        - Medusa Ransomware
        - Data Destruction
        - NjRAT
        - AsyncRAT
        - Hermetic Wiper
        - IcedID
        - XWorm
        - 0bj3ctivity Stealer
        - APT37 Rustonotto and FadeStealer
        - GhostRedirector IIS Module and Rungan Backdoor
        - Hellcat Ransomware
        - Microsoft WSUS CVE-2025-59287
        - NetSupport RMM Tool Abuse
        - MuddyWater
        - Axios Supply Chain Post Compromise
    mitre_attack_id:
        - T1027
        - T1059.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
    asset_type: Endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog