Techniques
Sample rules
Base64 Encoded PowerShell Command Detected
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
- t1140
Description
Detects usage of the “FromBase64String” function in the commandline which is used to decode a base64 encoded string
Detection logic
condition: selection
selection:
CommandLine|contains: ::FromBase64String(