Query Details

Powershell Base64 Encoding

Query

DeviceProcessEvents
// Define timeframe
| where Timestamp > ago(1d)
| where FileName has_any (@"powershell.exe", @"pwsh.exe", @"powershell_ise.exe")
| where ProcessCommandLine contains "base64"
| summarize arg_max(Timestamp, *) by DeviceName

About this query

PowerShell Base64 encoding

Description

Hunting for Base64 encoded command lines in PowerShell is crucial to detect and mitigate potential cyber threats. While the analytic below will detect Base64 encoded commands, a fine tuning is required for your environment.

References

Microsoft 365 Defender & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.014/08/2023Initial publish

Explanation

This query is used to detect Base64 encoded command lines in PowerShell. It filters for events related to PowerShell processes and searches for the keyword "base64" in the process command line. The query then summarizes the results by the device name. It is important to note that this query may need to be adjusted for specific environments. The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. It is mapped to the MITRE ATT&CK technique T1059.001 - Command and Scripting Interpreter: PowerShell. The query was initially published on 14/08/2023.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampFileNamepowershell.exepwsh.exepowershell_ise.exeProcessCommandLinebase64DeviceName

Operators

DeviceProcessEventswhereTimestampagoFileNamehas_anyProcessCommandLinecontainssummarizearg_maxbyDeviceName

MITRE Techniques

Actions

GitHub