Forum Discussion
Finding base64 encoded commands
All, I put together a query to look for base64-encoded strings on Command Lines where powershell has been executed. So I whipped up the following query: SecurityEvent
| where TimeGenerated betw...
Ofer_Shezaf
Microsoft
Microsoft
Trying to create a rule based detection of Powershell attacks is between hard and impossible. On the one hand based64 is used in valid code and on the other hand evasion is pretty easy. Why should the code be on the command line int the first place. Want the really dire picture? Daniel Bohannon presenatation on PowerShell obfuscation (video, slides) is impresive.
I think that Defender for End Points (a.k.a. Defender ATP), is the right choice for detecting and protecting from such threats.