PowerShell Base64 Encoded Invoke Keyword

About the rule

Rule Type

Standard

Rule Description

This detection identifies PowerShell commands that use Base64-encoded strings containing variants of the Invoke- keyword. Attackers often encode PowerShell commands to evade traditional defenses like antivirus tools and endpoint detection systems. The Invoke- prefix is common in post-exploitation tools like PowerSploit, Nishang, and Empire, used to trigger specific malicious actions such as credential dumping, payload delivery, or system reconnaissance.

Severity

Trouble

Rule journey

Attack chain scenario

Malicious installer uploaded → Victim executes with admin rights → Encoded PowerShell (-e) runs → Decodes to Invoke-Mimikatz → Credentials dumped

Impact

• Credential compromise
• System reconnaissance
• Execution of additional payloads

Rule Requirement

Prerequisites

Process Creation Auditing

Via Windows Event Viewer (GPO)

1. Open GPMC (gpmc.msc) using a domain admin account.
2. Navigate to:
   Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking
3. Enable:
   • Audit Process Creation
   • Audit Process Termination
     (Check “Success” box for both)
4. For command-line logging:
   Go to:
   Computer Configuration > Administrative Templates > System > Audit Process Creation
   → Enable “Include command line in process creation events.”
5. Create registry key (if missing):
   Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing/Operational

Using Sysmon

To set up process creation monitoring with Sysmon:

1.Download and install Sysmon from Microsoft Sysinternals.

2. Open a Command Prompt with administrator privileges.

3. Create or download a Sysmon configuration file that includes process creation monitoring. A basic example for capturing all process creations is:

<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="exclude"/>
</EventFiltering>
</Sysmon>

4. Install Sysmon with your configuration file using the command:

sysmon.exe -i [configfile.xml] (Replace [configfile.xml] with your file's path and name).

5. Ensure a new registry key named "Microsoft-Windows-Sysmon/Operational" exists in the directory Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\. If not, create it.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Obfuscated Files or Information (T1027), Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

NIST CSF DE.CM-1: Network and physical activities are monitored to detect anomalous events.

When this rule is triggered, you're notified of encoded PowerShell commands containing the term Invoke-. This enables you to configure command line auditing and monitor for -e, -enc.

Author

pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t

Future actions

Known False Positives

This rule might be triggered by legitimate administrative scripts that use Invoke- commands encoded for internal automation.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell activities: Enable PowerShell Script Block Logging and Module Logging via Group Policy.

Mitigation