Rules: PowerShell Encoded Command
PowerShell can execute encoded Base64 strings with the Encoded Command cmdlet. Attackers will often use Base64 to obfuscate their payloads until they can decode and execute it with PowerShell.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Execution |
| Apply Risk to Entities | device_hostname, device_ip, user_username |
| Signal Name | PowerShell Encoded Command |
| Summary Expression | Encoded Powershell command executed on host: {{device_hostname}} |
| Score/Severity | Static: 2 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0005, _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1059, _mitreAttackTechnique:T1059.001, _mitreAttackTechnique:T1059.003, _mitreAttackTechnique:T1132, _mitreAttackTechnique:T1132.001, _mitreAttackTechnique:T1132.002, _mitreAttackTechnique:T1140 |
| Origin | Field |
|---|---|
| Normalized Schema | baseImage |
| Normalized Schema | commandLine |
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | listMatches |
| Normalized Schema | user_username |