heroui logo

Encoded Powershell Command

Anvilogic Forge

View Source
Summary
The rule targets obfuscated PowerShell commands that are commonly used by threat actors to execute malicious scripts on Windows systems. PowerShell provides advanced interaction for system scripting and task automation, making it a prevalent choice for attackers. This detection leverages the Windows Sysmon event logs specifically looking for PowerShell commands that are encoded using Base64, which is a common obfuscation technique employed by various threat groups. The detection logic screens for terms related to PowerShell's encoded commands and decodes them to analyze the actual command being executed. By aggregating relevant event data and extracting potential encoded command strings, this rule aims to signify malicious activity related to encoded PowerShell commands, thereby providing visibility into attackers' methods of evading detection.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Windows Registry
  • Application Log
ATT&CK Techniques
  • T1027
  • T1059.001
Created: 2024-02-09