Encoded Powershell Executions by Device
Power Shell Encoded Commands By Device
Query
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| where not(isempty(base64String) and isempty(DecodedCommandLine))
| summarize TotalEncodedExecutions = count() by DeviceName
| sort by TotalEncodedExecutionsAbout this query
Encoded Powershell Executions by Device
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1027 | Obfuscated Files or Information | https://attack.mitre.org/techniques/T1027/ |
Defender XDR
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| where not(isempty(base64String) and isempty(DecodedCommandLine))
| summarize TotalEncodedExecutions = count() by DeviceName
| sort by TotalEncodedExecutions
Sentinel
Explanation
This query is designed to identify and summarize the execution of encoded PowerShell commands on devices within a specified timeframe. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to detect potentially suspicious activity by identifying PowerShell commands that have been encoded, which is a common technique used to obfuscate malicious actions.
-
Technique Reference: It references the MITRE ATT&CK technique T1027, which involves obfuscating files or information to evade detection.
-
Timeframe: The query looks at events from the past 48 hours, but this can be adjusted to cover different periods.
-
Data Source: It examines
DeviceProcessEventsto find processes involving PowerShell. -
Encoded Commands: It specifically searches for PowerShell commands that include certain flags (
-encodedcommand,-enc) which indicate that the command is encoded. -
Decoding: The query attempts to extract and decode the base64-encoded portion of the command to understand what the encoded command is doing.
-
Filtering: It filters out any entries where both the encoded string and its decoded version are empty, ensuring only meaningful results are considered.
-
Summarization: The results are summarized by counting the total number of encoded PowerShell executions per device.
-
Sorting: Finally, it sorts the devices based on the number of encoded executions, likely to prioritize investigation on devices with higher counts.
This query is useful for security analysts to detect and investigate potential misuse of PowerShell through encoded commands, which could indicate malicious activity.
