Adversaries are leveraging base64-encoded PowerShell commands to execute malicious payloads, a common tactic in the Nobelium campaign for initial access and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe"
| where FileName =~ "powershell.exe"
// Extract base64 encoded string, ensure valid base64 length
| extend base64_extracted = extract('([A-Za-z0-9+/]{20,}[=]{0,3})', 1, ProcessCommandLine)
| extend base64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4)
| extend base64_decoded = replace(@'\0', '', make_string(base64_decode_toarray(base64_extracted)))
//
| where notempty(base64_extracted) and base64_extracted matches regex '[A-Z]' and base64_extracted matches regex '[0-9]'
id: fd25665b-9376-4c38-b046-76757eff0e40
name: launching-base64-powershell[Nobelium]
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when SolarWinds processes launched PowerShell commands that were possibly encoded in Base64. Attackers may encode PowerShell commands in Base64 to obfuscate malicious activity.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Defense evasion
tags:
- Nobelium
query: |
DeviceProcessEvents
| where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe"
| where FileName =~ "powershell.exe"
// Extract base64 encoded string, ensure valid base64 length
| extend base64_extracted = extract('([A-Za-z0-9+/]{20,}[=]{0,3})', 1, ProcessCommandLine)
| extend base64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4)
| extend base64_decoded = replace(@'\0', '', make_string(base64_decode_toarray(base64_extracted)))
//
| where notempty(base64_extracted) and base64_extracted matches regex '[A-Z]' and base64_extracted matches regex '[0-9]'
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate PowerShell Script Execution
Description: A system administrator runs a legitimate PowerShell script that includes base64-encoded content as part of a standard maintenance task.
Filter/Exclusion: process.parent_process_name:"Windows PowerShell" or process.parent_process_path:"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
Scenario: Scheduled Job with Base64 Encoded Payload
Description: A scheduled task is configured to execute a base64-decoded PowerShell script as part of a regular system update or patching process.
Filter/Exclusion: process.name:"schtasks.exe" or process.parent_process_name:"schtasks.exe"
Scenario: Admin Task Using Base64 for Encoding/Decoding
Description: A system administrator uses PowerShell to encode or decode data using base64 as part of a data transfer or encoding task.
Filter/Exclusion: process.name:"powershell.exe" and process.user:"Administrator" and event_id:4688
Scenario: PowerShell Module Import with Base64 Content
Description: A PowerShell module is imported that contains base64-encoded content as part of its module structure, which is common in some enterprise tools.
Filter/Exclusion: process.name:"powershell.exe" and event_id:4104 and process.command_line:"Import-Module"
Scenario: Base64 Encoding in Log Analysis Tool
Description: A log analysis tool or SIEM system uses base64 encoding to store or transmit log data, which may trigger the rule due to the presence of base64 strings.
Filter/Exclusion: process.name:"logparser.exe" or process.name:"splunkd.exe" or process.name:"eventvwr.exe"