← Back to SOC feed Coverage →

Base64 MZ Header In CommandLine

sigma HIGH SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects encoded base64 MZ header in the commandline

Detection Rule

Sigma (Original)

title: Base64 MZ Header In CommandLine
id: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
status: test
description: Detects encoded base64 MZ header in the commandline
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'TVqQAAMAAAAEAAAA' # MZ..........
            - 'TVpQAAIAAAAEAA8A'
            - 'TVqAAAEAAAAEABAA'
            - 'TVoAAAAAAAAAAAAA'
            - 'TVpTAQEAAAAEAAAA'
    condition: selection
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "TVqQAAMAAAAEAAAA" or TargetProcessCommandLine contains "TVpQAAIAAAAEAA8A" or TargetProcessCommandLine contains "TVqAAAEAAAAEABAA" or TargetProcessCommandLine contains "TVoAAAAAAAAAAAAA" or TargetProcessCommandLine contains "TVpTAQEAAAAEAAAA"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml