Skip to content

Hide Navigation Hide TOC

Suspicious FromBase64String Usage On Gzip Archive - Ps Script (df69cb1d-b891-4cd9-90c7-d617d90100ce)

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

Cluster A Galaxy A Cluster B Galaxy B Level
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Suspicious FromBase64String Usage On Gzip Archive - Ps Script (df69cb1d-b891-4cd9-90c7-d617d90100ce) Sigma-Rules 1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2