diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
index 857fc9490..bdeef5508 100644
--- a/CHANGELOG-Japanese.md
+++ b/CHANGELOG-Japanese.md
@@ -11,6 +11,7 @@
 - `search`コマンドに`--timeline-start/--timeline-end`オプションを追加した。 (#1543) (@fukuseket)
 - チャンネルフィルタリングで `logon-summary` コマンドの速度を大幅に改善した。 (#1544) (@fukusuket)
 - `extract-base64`コマンドが`PowerShell Classic EID 400`イベントも対象するようになった。 (#1549) (@fukusuket)
+- `extract-base64`コマンドがPowerShell Coreログにも対応した。 (#1558) (@fukusuket)
 
 **バグ修正:**
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 475f0d74b..44ac452f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@
 - Added `--timeline-start/--timeline-end` options to the `search` command. (#1543) (@fukuseket)
 - Significantly improved the speed of the `logon-summary` command with channel filtering. (#1544) (@fukusuket)
 - The `extract-base64` command now also works on `PowerShell Classic EID 400` events. (#1549) (@fukusuket)
+- The `extract-base64` command now also scans PowerShell Core logs as well. (#1558) (@fukusuket)
 
 **Bug Fixes:**
 
diff --git a/rules b/rules
index 762de3b97..5069db4b3 160000
--- a/rules
+++ b/rules
@@ -1 +1 @@
-Subproject commit 762de3b97c3e58dac6646ef0490b7c325676aed0
+Subproject commit 5069db4b3ed29b8daa99d7d9421deda64da2ac72
diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index 5054de996..64995ff77 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -1882,7 +1882,7 @@ pub struct ExtractBase64Option {
     #[clap(flatten)]
     pub input_args: InputOption,
 
-    /// Extract Base64 strings.
+    /// Save results to a CSV file
     #[arg(help_heading = Some("Output"), short = 'o', long, value_name = "FILE", display_order = 410)]
     pub output: Option<PathBuf>,
 
diff --git a/src/timeline/extract_base64.rs b/src/timeline/extract_base64.rs
index 71b20a264..a10b67e17 100644
--- a/src/timeline/extract_base64.rs
+++ b/src/timeline/extract_base64.rs
@@ -226,10 +226,16 @@ fn extract_payload(data: &Value) -> Vec<(Value, Event)> {
                 values.push((v, Event::Sysmon1));
                 let v = data["Event"]["EventData"]["ParentCommandLine"].clone();
                 values.push((v, Event::Sysmon1));
-            } else if ch == "Microsoft-Windows-PowerShell/Operational" && id == 4104 {
+            } else if (ch == "Microsoft-Windows-PowerShell/Operational"
+                || ch == "PowerShellCore/Operational")
+                && id == 4104
+            {
                 let v = data["Event"]["EventData"]["ScriptBlockText"].clone();
                 values.push((v, Event::PwSh4104));
-            } else if ch == "Microsoft-Windows-PowerShell/Operational" && id == 4103 {
+            } else if (ch == "Microsoft-Windows-PowerShell/Operational"
+                || ch == "PowerShellCore/Operational")
+                && id == 4103
+            {
                 let v = data["Event"]["EventData"]["Payload"].clone();
                 values.push((v, Event::PwSh4103));
             } else if ch == "Windows PowerShell" && id == 400 {