Query Details
Power Shell Encoded Web Requests
Query
# Encoded Powershell Commands With Web Request
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1134.002 | Access Token Manipulation: Create Process with Token |Access Token Manipulation: Create Process with Token|
#### Description
PowerShell can be used to retrieve the payload of malware. This can also be done with encoded powershell commands to evade detection. This query lists all encoded powershell executions that contain web requests.
#### Risk
An advasary uses an encoded PowerShell command to collect a payload.
#### References
- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://community.sophos.com/sophos-labs/b/blog/posts/decoding-malicious-powershell
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks
## Defender For Endpoint
```
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let DownloadVariables = dynamic(['WebClient', 'DownloadFile', 'DownloadData', 'DownloadString', 'WebRequest', 'Shellcode', 'http', 'https']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| where DecodedCommandLineReplaceEmptyPlaces has_any (DownloadVariables)
| project-reorder
Timestamp,
ActionType,
DecodedCommandLineReplaceEmptyPlaces,
ProcessCommandLine,
InitiatingProcessCommandLine,
DeviceName,
AccountName,
AccountDomain
```
## Sentinel
```
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let DownloadVariables = dynamic(['WebClient', 'DownloadFile', 'DownloadData', 'DownloadString', 'WebRequest', 'Shellcode', 'http', 'https']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| where DecodedCommandLineReplaceEmptyPlaces has_any (DownloadVariables)
| project
TimeGenerated,
ActionType,
DecodedCommandLineReplaceEmptyPlaces,
ProcessCommandLine,
InitiatingProcessCommandLine,
DeviceName,
AccountName,
AccountDomain
```
Explanation
This query is used to identify encoded PowerShell commands that contain web requests. It searches for processes with PowerShell in their command line and extracts the encoded commands. It then decodes and analyzes the commands to identify any web requests made. The query returns information such as the timestamp, action type, decoded command line, process command line, initiating process command line, device name, account name, and account domain. The purpose of this query is to detect and investigate potential malicious activity involving encoded PowerShell commands and web requests.
Details
Bert-Jan Pals
Released: September 16, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User,EncodedPowershellCommands,WebRequest
Operators
- dynamic
- where
- contains
- has_any
- extend
- extract
- base64_decode_tostring
- replace_string
- isnotempty
- project-reorder (Defender For Endpoint)
- project (Sentinel)
- Timestamp (Defender For Endpoint)
- TimeGenerated (Sentinel)
- ActionType
- DecodedCommandLineReplaceEmptyPlaces
- ProcessCommandLine
- InitiatingProcessCommandLine
- DeviceName
- AccountName
- AccountDomain