title: FromBase64String Command Line
id: e32d4572-9826-4738-b651-95fa63747e8a
status: experimental
description: Detects suspicious FromBase64String expressions in command line arguments
references:
    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth
date: 2020/01/29
modified: 2020/09/06
tags: 
    - attack.t1027
    - attack.defense_evasion
    - attack.t1140
    - attack.t1059.001    
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '::FromBase64String('
    condition: selection
falsepositives:
    - Administrative script libraries
level: high