cscli scenarios install sigmahq/proc_creation_win_powershell_base64_encoded_cmd1type: trigger2name: sigmahq/proc_creation_win_powershell_base64_encoded_cmd3description: |4 Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.OriginalFileName in ['PowerShell.EXE', 'pwsh.dll']) && (evt.Parsed.CommandLine contains ' -e' && (evt.Parsed.CommandLine contains ' JAB' || evt.Parsed.CommandLine contains ' SUVYI' || evt.Parsed.CommandLine contains ' SQBFAFgA' || evt.Parsed.CommandLine contains ' aQBlAHgA' || evt.Parsed.CommandLine contains ' aWV4I' || evt.Parsed.CommandLine contains ' IAA' || evt.Parsed.CommandLine contains ' IAB' || evt.Parsed.CommandLine contains ' UwB' || evt.Parsed.CommandLine contains ' cwB') || evt.Parsed.CommandLine contains '.exe -ENCOD ' || evt.Parsed.CommandLine contains ' BA^J e-') && not (evt.Parsed.CommandLine contains ' -ExecutionPolicy remotesigned '))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1059.0011516 label: "Suspicious Encoded PowerShell Command Line"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324