Query Details
Powershell Suspicious Strings
Query
Tags:
Query:
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("Net.WebClient","DownloadFile","Invoke-WebRequest", "Invoke-Shellcode", "http","IEX","BitsTransfer","mpcmdrun.exe","downloadstring","Invoke-Expression","Invoke","-e","[System.Convert]::FromBase64String()", "-en","-noni", "-nop", "mimikatz")
| where InitiatingProcessFileName != @"CcmExec.exe" | where InitiatingProcessVersionInfoCompanyName != @"Slack Technologies Inc." | where InitiatingProcessVersionInfoFileDescription != @"Snow Inventory Agent for Windows"
References:
Explanation
The query is searching for DeviceProcessEvents where the FileName is either "powershell.exe" or "powershell_ise.exe". It then filters further by checking if the ProcessCommandLine contains any of the specified keywords. It also excludes events where the InitiatingProcessFileName is "CcmExec.exe", the InitiatingProcessVersionInfoCompanyName is "Slack Technologies Inc.", and the InitiatingProcessVersionInfoFileDescription is "Snow Inventory Agent for Windows".
Details
Ali Hussein
Released: December 4, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine,Net.WebClient,DownloadFile,Invoke-WebRequest,Invoke-Shellcode,http,IEX,BitsTransfer,mpcmdrun.exe,downloadstring,Invoke-Expression,Invoke,[System.Convert]::FromBase64String(),-en,-noni,-nop,mimikatz,InitiatingProcessFileName,CcmExec.exe,InitiatingProcessVersionInfoCompanyName,SlackTechnologiesInc.,InitiatingProcessVersionInfoFileDescription,SnowInventoryAgentforWindows
Operators
in~wherehas_any!=@""|