Query Details

Encoded Powershell Commands That Have Potentially Performed Recon Activities

Power Shell Encoded Recon Activities

Query

let EncodedList = dynamic(['-encodedcommand', '-enc']); 
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let ReconVariables = dynamic(['Get-ADGroupMember', 'Get-ADComputer', 'Get-ADUser', 'Get-NetGPOGroup', 'net user', 'whoami', 'net group', 'hostname', 'netsh firewall', 'tasklist', 'arp', 'systeminfo']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
// Search in the decoded commandline for Recon variables
| where DecodedCommandLineReplaceEmptyPlaces has_any (ReconVariables)
| project-reorder 
     Timestamp,
     ActionType,
     DecodedCommandLineReplaceEmptyPlaces,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     DeviceName,
     AccountName,
     AccountDomain

About this query

Explanation

This query is designed to detect potentially suspicious PowerShell activities that might be used for reconnaissance purposes. Here's a simplified breakdown:

  1. Purpose: The query aims to identify encoded PowerShell commands that could be used to gather information about systems or Active Directory (AD) environments. This is often done by attackers to evade detection.

  2. Techniques: It focuses on two MITRE ATT&CK techniques:

    • T1027: Obfuscated Files or Information, which involves hiding the true intent of a command.
    • T1087.004: Account Discovery: Cloud Account, which involves discovering user accounts.
  3. How It Works:

    • Encoded Commands: The query looks for PowerShell commands that are encoded, using flags like -encodedcommand or -enc.
    • Reconnaissance Activities: It searches for specific PowerShell commands that are typically used for reconnaissance, such as Get-ADUser, net user, whoami, etc.
    • Time Frame: It examines events from the past 48 hours, but this can be adjusted.
  4. Process:

    • It filters events to find those involving PowerShell.
    • It checks if these events include encoded commands.
    • It decodes these commands to see if they contain any reconnaissance-related activities.
    • It then lists relevant details like the time, action type, decoded command, device name, and account information.
  5. Output: The query provides a list of potentially suspicious PowerShell activities, helping security teams to investigate further.

This query is useful for identifying stealthy reconnaissance activities that might indicate a security breach or the presence of an adversary in the network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DevicesUsersAccountsProcessesSystems

Operators

letdynamicagocontainshas_anyextendextractbase64_decode_tostringreplace_stringisnotemptywhereproject-reorderproject

MITRE Techniques

Actions

GitHub