Query Details
Power Shell Encoded Commands By Device
Query
# Encoded Powershell Executions by Device
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1027 | Obfuscated Files or Information |https://attack.mitre.org/techniques/T1027/ |
## Defender For Endpoint
```
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| where not(isempty(base64String) and isempty(DecodedCommandLine))
| summarize TotalEncodedExecutions = count() by DeviceName
| sort by TotalEncodedExecutions
```
## Sentinel
```
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| where not(isempty(base64String) and isempty(DecodedCommandLine))
| summarize TotalEncodedExecutions = count() by DeviceName
| sort by TotalEncodedExecutions
```
Explanation
This query is used to identify encoded PowerShell executions by device. It looks for process events where the command line contains "powershell" and checks if it also contains any of the specified encoded command flags. It then extracts the base64 encoded string from the command line and decodes it to get the original PowerShell command. The query counts the total number of encoded executions for each device and sorts the results by the number of encoded executions. The time frame for the query is customizable.
Details
Bert-Jan Pals
Released: September 13, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User,EncodedPowershellExecutions,MITREATT&CKTechnique,DefenderForEndpoint,Sentinel,Timestamp,ProcessCommandLine,InitiatingProcessCommandLine,base64String,DecodedCommandLine,TotalEncodedExecutions,DeviceName,TimeGenerated
Operators
letdynamicwhereorcontainshas_anyextendextractbase64_decode_tostringnotisemptysummarizecountbysort