Query Details

Encoded Powershell Executions by Device

Power Shell Encoded Commands By Device

Query

let EncodedList = dynamic(['-encodedcommand', '-enc']); 
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| where not(isempty(base64String) and isempty(DecodedCommandLine))
| summarize TotalEncodedExecutions = count() by DeviceName
| sort by TotalEncodedExecutions

About this query

Encoded Powershell Executions by Device

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1027Obfuscated Files or Informationhttps://attack.mitre.org/techniques/T1027/

Defender XDR

let EncodedList = dynamic(['-encodedcommand', '-enc']); 
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| where not(isempty(base64String) and isempty(DecodedCommandLine))
| summarize TotalEncodedExecutions = count() by DeviceName
| sort by TotalEncodedExecutions

Sentinel

Explanation

This query is designed to identify and summarize the execution of encoded PowerShell commands on devices within a specified timeframe. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to detect potentially suspicious activity by identifying PowerShell commands that have been encoded, which is a common technique used to obfuscate malicious actions.

  2. Technique Reference: It references the MITRE ATT&CK technique T1027, which involves obfuscating files or information to evade detection.

  3. Timeframe: The query looks at events from the past 48 hours, but this can be adjusted to cover different periods.

  4. Data Source: It examines DeviceProcessEvents to find processes involving PowerShell.

  5. Encoded Commands: It specifically searches for PowerShell commands that include certain flags (-encodedcommand, -enc) which indicate that the command is encoded.

  6. Decoding: The query attempts to extract and decode the base64-encoded portion of the command to understand what the encoded command is doing.

  7. Filtering: It filters out any entries where both the encoded string and its decoded version are empty, ensuring only meaningful results are considered.

  8. Summarization: The results are summarized by counting the total number of encoded PowerShell executions per device.

  9. Sorting: Finally, it sorts the devices based on the number of encoded executions, likely to prioritize investigation on devices with higher counts.

This query is useful for security analysts to detect and investigate potential misuse of PowerShell through encoded commands, which could indicate malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

letdynamicagocontainsorhas_anyextendextractbase64_decode_tostringisemptynotsummarizecountbysort

MITRE Techniques

Actions

GitHub