Techniques
Sample rules
Windows PowerShell Process Implementing Manual Base64 Decoder
- source: splunk
- technicques:
- T1027.010
- T1059.001
Description
The following analytic identifies Windows PowerShell processes that implement a manual Base64 decoder. Threat actors often use Base64 encoding to obfuscate malicious payloads or commands within PowerShell scripts. By manually decoding Base64 strings, attackers can evade detection mechanisms that look for standard decoding functions like using the “-enc” flag or the “FromBase64String” function. This detection focuses on PowerShell processes that exhibit characteristics of manual Base64 decoding, such as the presence of specific string manipulation methods and bitwise operations. Security teams should investigate any instances of such activity, especially if found in conjunction with other suspicious behaviors or on systems that should not be using PowerShell for such tasks.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process = "*ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/*"
Processes.process = "*.Substring(*"
Processes.process = "*.GetString(*"
Processes.process = "*.IndexOf(*"
Processes.process IN ("*-shl*", *-shr*, "*-bxor*", "*-bor*", "*-band*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id
Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_process_implementing_manual_base64_decoder_filter`