Suspicious Base64 Encoded IP in Command Line

Rule Info

Name
Suspicious Base64 Encoded IP in Command Line
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects processes with command lines containing base64-encoded IP addresses, which may indicate obfuscation or evasion attempts. Threat actors often host their secondary malicious payloads on IP addresses, potentially their C&C servers or other hosting infrastructure. To download these malicious payloads, the malware dropper technique involves downloading and executing a secondary payload from an IP address. And to obscure the command line from normal user scrutiny, threat actors may their script or command line arguments in base64 encoding to download and execute the secondary payload.
Reference
Internal Research
Date
2026-02-04 00:00:00
Modified
None
Id
7a06500a-4808-4beb-bf57-c3d13ecc864b
Tags
attack.defense-evasion attack.t1027 attack.command-and-control
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022