Query Details
Fake CAPTCHA Campaign Power Shell Detection
Query
//This query detects PowerShell commands used in Fake CAPTCHA Campaign //Looks for suspicious encoded commands initiated by explorer.exe let sus = dynamic(['http', 'ftp', 'Hidden', 'iex', '-e ', '-en', '-enc', '-enco', '-ec']); DeviceRegistryEvents | where InitiatingProcessFileName == "explorer.exe" | where RegistryValueData has_any (sus) and RegistryValueData contains "powershell" | project Timestamp, DeviceName, RegistryValueData, InitiatingProcessAccountName
Explanation
This query is designed to identify potentially malicious PowerShell commands that are part of a Fake CAPTCHA Campaign. It specifically looks for suspicious encoded commands that are started by the "explorer.exe" process. Here's a breakdown of what the query does:
-
Define Suspicious Patterns: It sets up a list of suspicious patterns (like 'http', 'ftp', 'Hidden', 'iex', and various forms of PowerShell encoding flags like '-e', '-enc', etc.) that might indicate malicious activity.
-
Filter Events: It searches through device registry events to find entries where the process that initiated the event is "explorer.exe".
-
Check for Suspicious Commands: It further filters these events to find those where the registry value data contains any of the suspicious patterns and specifically includes the term "powershell".
-
Select Relevant Information: Finally, it selects and displays the timestamp of the event, the name of the device, the registry value data, and the account name of the user who initiated the process.
In simple terms, this query is looking for instances where the "explorer.exe" process is used to run potentially harmful PowerShell commands, which could be part of a phishing or malware campaign disguised as a CAPTCHA.
Details
Ammar Alawaidi
Released: November 10, 2024
Tables
Keywords
Operators