← Back to SOC feed Coverage →

Suspicious Obfuscated PowerShell Code

sigma HIGH SigmaHQ
imProcessCreate
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-11T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines

Detection Rule

Sigma (Original)

title: Suspicious Obfuscated PowerShell Code
id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35
status: test
description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
references:
    - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/
author: Florian Roth (Nextron Systems)
date: 2022-07-11
modified: 2023-02-14
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            #  -bxor 0x
            - 'IAAtAGIAeABvAHIAIAAwAHgA'
            - 'AALQBiAHgAbwByACAAMAB4A'
            - 'gAC0AYgB4AG8AcgAgADAAeA'
            # .Invoke() |
            - 'AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg'
            - 'AuAEkAbgB2AG8AawBlACgAKQAgAHwAI'
            - 'ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC'
            # {1}{0}" -f
            # {0}{3}" -f
            # {2}{0}" -f
            - 'AHsAMQB9AHsAMAB9ACIAIAAtAGYAI'
            - 'B7ADEAfQB7ADAAfQAiACAALQBmAC'
            - 'AewAxAH0AewAwAH0AIgAgAC0AZgAg'
            - 'AHsAMAB9AHsAMwB9ACIAIAAtAGYAI'
            - 'B7ADAAfQB7ADMAfQAiACAALQBmAC'
            - 'AewAwAH0AewAzAH0AIgAgAC0AZgAg'
            - 'AHsAMgB9AHsAMAB9ACIAIAAtAGYAI'
            - 'B7ADIAfQB7ADAAfQAiACAALQBmAC'
            - 'AewAyAH0AewAwAH0AIgAgAC0AZgAg'
            # {1}{0}' -f
            # {0}{3}' -f
            # {2}{0}' -f
            - 'AHsAMQB9AHsAMAB9ACcAIAAtAGYAI'
            - 'B7ADEAfQB7ADAAfQAnACAALQBmAC'
            - 'AewAxAH0AewAwAH0AJwAgAC0AZgAg'
            - 'AHsAMAB9AHsAMwB9ACcAIAAtAGYAI'
            - 'B7ADAAfQB7ADMAfQAnACAALQBmAC'
            - 'AewAwAH0AewAzAH0AJwAgAC0AZgAg'
            - 'AHsAMgB9AHsAMAB9ACcAIAAtAGYAI'
            - 'B7ADIAfQB7ADAAfQAnACAALQBmAC'
            - 'AewAyAH0AewAwAH0AJwAgAC0AZgAg'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "IAAtAGIAeABvAHIAIAAwAHgA" or TargetProcessCommandLine contains "AALQBiAHgAbwByACAAMAB4A" or TargetProcessCommandLine contains "gAC0AYgB4AG8AcgAgADAAeA" or TargetProcessCommandLine contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or TargetProcessCommandLine contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or TargetProcessCommandLine contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or TargetProcessCommandLine contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or TargetProcessCommandLine contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or TargetProcessCommandLine contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or TargetProcessCommandLine contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or TargetProcessCommandLine contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or TargetProcessCommandLine contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or TargetProcessCommandLine contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or TargetProcessCommandLine contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or TargetProcessCommandLine contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or TargetProcessCommandLine contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or TargetProcessCommandLine contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or TargetProcessCommandLine contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or TargetProcessCommandLine contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or TargetProcessCommandLine contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or TargetProcessCommandLine contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or TargetProcessCommandLine contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or TargetProcessCommandLine contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or TargetProcessCommandLine contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml