Encoded Powershell Commands That Have Potentially Performed Recon Activities
Power Shell Encoded Recon Activities
Query
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let ReconVariables = dynamic(['Get-ADGroupMember', 'Get-ADComputer', 'Get-ADUser', 'Get-NetGPOGroup', 'net user', 'whoami', 'net group', 'hostname', 'netsh firewall', 'tasklist', 'arp', 'systeminfo']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
// Search in the decoded commandline for Recon variables
| where DecodedCommandLineReplaceEmptyPlaces has_any (ReconVariables)
| project-reorder
Timestamp,
ActionType,
DecodedCommandLineReplaceEmptyPlaces,
ProcessCommandLine,
InitiatingProcessCommandLine,
DeviceName,
AccountName,
AccountDomainAbout this query
Explanation
This query is designed to detect potentially suspicious PowerShell activities that might be used for reconnaissance purposes. Here's a simplified breakdown:
-
Purpose: The query aims to identify encoded PowerShell commands that could be used to gather information about systems or Active Directory (AD) environments. This is often done by attackers to evade detection.
-
Techniques: It focuses on two MITRE ATT&CK techniques:
- T1027: Obfuscated Files or Information, which involves hiding the true intent of a command.
- T1087.004: Account Discovery: Cloud Account, which involves discovering user accounts.
-
How It Works:
- Encoded Commands: The query looks for PowerShell commands that are encoded, using flags like
-encodedcommandor-enc. - Reconnaissance Activities: It searches for specific PowerShell commands that are typically used for reconnaissance, such as
Get-ADUser,net user,whoami, etc. - Time Frame: It examines events from the past 48 hours, but this can be adjusted.
- Encoded Commands: The query looks for PowerShell commands that are encoded, using flags like
-
Process:
- It filters events to find those involving PowerShell.
- It checks if these events include encoded commands.
- It decodes these commands to see if they contain any reconnaissance-related activities.
- It then lists relevant details like the time, action type, decoded command, device name, and account information.
-
Output: The query provides a list of potentially suspicious PowerShell activities, helping security teams to investigate further.
This query is useful for identifying stealthy reconnaissance activities that might indicate a security breach or the presence of an adversary in the network.
