← Back to SOC feed Coverage →

Suspicious FromBase64String Usage On Gzip Archive - Process Creation

sigma MEDIUM SigmaHQ
T1132.001
imProcessCreate
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-12T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

Detection Rule

Sigma (Original)

title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
related:
    - id: df69cb1d-b891-4cd9-90c7-d617d90100ce
      type: similar
status: test
description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022-12-23
tags:
    - attack.command-and-control
    - attack.t1132.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - 'FromBase64String'
            - 'MemoryStream'
            - 'H4sI'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "FromBase64String" and TargetProcessCommandLine contains "MemoryStream" and TargetProcessCommandLine contains "H4sI"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml