Forum Discussion
JKatzmandu
Nov 16, 2020Brass Contributor
Finding base64 encoded commands
All, I put together a query to look for base64-encoded strings on Command Lines where powershell has been executed. So I whipped up the following query: SecurityEvent
| where TimeGenerated betw...
GaryBushey
Nov 16, 2020Bronze Contributor
JKatzmandu Have you looked at the "Process executed from binary hidden in Base64 encoded file" rule template to see how that does it?
- JKatzmanduNov 16, 2020Brass Contributor