highproductionWindowsEndpointT1059.001T1027

Suspicious PowerShell Encoded Command Execution

Detects execution of PowerShell with base64-encoded commands, commonly used by attackers to obfuscate malicious payloads.

Updated Nov 15, 2024 · Detection Engineering Team

powershellobfuscationlolbaswindows

Problem Statement

PowerShell encoded commands are a primary evasion technique used to obfuscate malicious payloads from signature-based detection. Attackers convert scripts to base64 and pass them via -EncodedCommand to bypass string-based filtering.

Sample Logs

{"EventID":4688,"TimeCreated":"2024-11-15T14:32:01Z","Computer":"WORKSTATION-01","SubjectUserName":"jsmith","NewProcessName":"C:\Windows\System32\WindowsPowerShell\1.0\powershell.exe","CommandLine":"powershell.exe -NoProfile -NonInteractive -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMAUQB"}

{"EventID":4688,"TimeCreated":"2024-11-15T14:45:22Z","Computer":"SERVER-DC01","SubjectUserName":"SYSTEM","NewProcessName":"C:\Windows\System32\WindowsPowerShell\1.0\powershell.exe","CommandLine":"powershell -ec SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAn"}

Required Fields

process.image / NewProcessName

process.command_line / CommandLine

user.name / SubjectUserName

host.name / Computer

event.timestamp / TimeCreated

False Positives

·Legitimate IT automation using encoded commands (document and baseline)
·Software deployment tools like SCCM, Chocolatey
·Developers testing PowerShell remoting

Tuning Guidance

Whitelist known automation service accounts and deployment tool hashes. Focus on interactive user sessions. Correlate with network connections to reduce FP rate.