Posted on 2019-07-19 by Pedram Amini
Base64 Encoded Powershell Pivots
In this short post, we share a YARA rule that threat hunters will find valuable for identifying potentially malicious Powershell pivots. Specifically, we'll be looking for base64 encoded Powershell directives. Additionally, some interesting real-world samples will be shared with the reader. Including an SSL certificate, Microsoft Windows shortcut (LNK) file, and a JPG image. Base64 encoding is among the most popular encoding mechanisms used by malware today. Decoders are available ubiquitously or are easily custom-developed when not available.