← Library
splApache-2.0from splunk/security_content

Powershell Fileless Script Contains Base64 Encoded Content

The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.

Quality
51
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
`powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `powershell_fileless_script_contains_base64_encoded_content_filter`