Query Details

Encoded Powershell Commands With Web Request

Power Shell Encoded Web Requests

Query

let EncodedList = dynamic(['-encodedcommand', '-enc']); 
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let DownloadVariables = dynamic(['WebClient', 'DownloadFile', 'DownloadData', 'DownloadString', 'WebRequest', 'Shellcode', 'http', 'https']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| where DecodedCommandLineReplaceEmptyPlaces has_any (DownloadVariables)
| project-reorder 
     Timestamp,
     ActionType,
     DecodedCommandLineReplaceEmptyPlaces,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     DeviceName,
     AccountName,
     AccountDomain

About this query

Explanation

This query is designed to detect potentially malicious activity involving PowerShell, a powerful scripting language often used in Windows environments. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify instances where PowerShell is used to execute encoded commands that include web requests. This is a common technique used by attackers to download malicious payloads while trying to evade detection.

  2. Technique: The query focuses on encoded PowerShell commands, which are often used to hide the true intent of the script. It specifically looks for commands that include certain keywords related to downloading content from the web, such as "WebClient", "DownloadFile", "http", and "https".

  3. Time Frame: The query examines events that have occurred within the last 48 hours, but this time frame can be adjusted as needed.

  4. Process:

    • It searches for processes where PowerShell is invoked.
    • It checks if the command line includes encoded commands.
    • It decodes these commands from Base64 format to reveal their actual content.
    • It filters out any decoded commands that do not contain web-related keywords.
    • Finally, it organizes the results to display relevant information such as the timestamp, action type, decoded command, and details about the device and account involved.
  5. Output: The query outputs a list of potentially suspicious PowerShell activities, providing details that can help in further investigation or response actions.

Overall, this query is a tool for security analysts to detect and investigate potential PowerShell-based attacks that involve downloading malicious content from the internet.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

letdynamicagocontainshas_anyextendextractbase64_decode_tostringreplace_stringisnotemptywhereproject-reorderproject

MITRE Techniques

Actions

GitHub