Forum Discussion
Finding base64 encoded commands
All, I put together a query to look for base64-encoded strings on Command Lines where powershell has been executed. So I whipped up the following query: SecurityEvent
| where TimeGenerated betw...
JKatzmandu Have you looked at the "Process executed from binary hidden in Base64 encoded file" rule template to see how that does it?
