Skip to content

Hide Navigation Hide TOC

Suspicious FromBase64String Usage On Gzip Archive - Process Creation (d75d6b6b-adb9-48f7-824b-ac2e786efe1f)

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

Cluster A Galaxy A Cluster B Galaxy B Level
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Suspicious FromBase64String Usage On Gzip Archive - Process Creation (d75d6b6b-adb9-48f7-824b-ac2e786efe1f) Sigma-Rules 1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2