Encoded Powershell Commands With Web Request
Power Shell Encoded Web Requests
Query
let EncodedList = dynamic(['-encodedcommand', '-enc']);
// For more results use line below en filter one above. This will also return more FPs.
// let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
let DownloadVariables = dynamic(['WebClient', 'DownloadFile', 'DownloadData', 'DownloadString', 'WebRequest', 'Shellcode', 'http', 'https']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| where DecodedCommandLineReplaceEmptyPlaces has_any (DownloadVariables)
| project-reorder
Timestamp,
ActionType,
DecodedCommandLineReplaceEmptyPlaces,
ProcessCommandLine,
InitiatingProcessCommandLine,
DeviceName,
AccountName,
AccountDomainAbout this query
Explanation
This query is designed to detect potentially malicious activity involving PowerShell, a powerful scripting language often used in Windows environments. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify instances where PowerShell is used to execute encoded commands that include web requests. This is a common technique used by attackers to download malicious payloads while trying to evade detection.
-
Technique: The query focuses on encoded PowerShell commands, which are often used to hide the true intent of the script. It specifically looks for commands that include certain keywords related to downloading content from the web, such as "WebClient", "DownloadFile", "http", and "https".
-
Time Frame: The query examines events that have occurred within the last 48 hours, but this time frame can be adjusted as needed.
-
Process:
- It searches for processes where PowerShell is invoked.
- It checks if the command line includes encoded commands.
- It decodes these commands from Base64 format to reveal their actual content.
- It filters out any decoded commands that do not contain web-related keywords.
- Finally, it organizes the results to display relevant information such as the timestamp, action type, decoded command, and details about the device and account involved.
-
Output: The query outputs a list of potentially suspicious PowerShell activities, providing details that can help in further investigation or response actions.
Overall, this query is a tool for security analysts to detect and investigate potential PowerShell-based attacks that involve downloading malicious content from the internet.
