title: Encoded IEX
author: Florian Roth
date: 2019/08/23
description: Detects a base64 encoded IEX command string in a process command line
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '*SUVYIChb*'
    - '*lFWCAoW*'
    - '*JRVggKF*'
    - '*aWV4IChb*'
    - '*lleCAoW*'
    - '*pZXggKF*'
    - '*aWV4IChOZX*'
    - '*lleCAoTmV3*'
    - '*pZXggKE5ld*'
    - '*SUVYIChOZX*'
    - '*lFWCAoTmV3*'
    - '*JRVggKE5ld*'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: 88f680b8-070e-402c-ae11-d2914f2257f1
level: critical
logsource:
  category: process_creation
  product: windows
modified: 2020/08/29
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA