KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious CLI Obfuscation

Query

// Goal is to catch powershell and bash obfuscation techniques. Mostly powershell.
// If the intention is to use this as a detection, it will most likely need tuned to your environment but it has been succesful in mine though multiple tests.
// If you have questions or reccomendations, please email me at [email protected]

DeviceProcessEvents
| where ProcessCommandLine matches regex @"'[^']+'\s*\+\s*'[^']+'" or //Checking for 'A'+'B' style obfuscation
    ProcessCommandLine matches regex @'"[^"]+"\s*\+\s*"[^"]+"' or //Checking for "A"+"B" style obfuscation
    ProcessCommandLine matches regex @".Replace\s*\(" // Checking for .replace obfuscation
| project Timestamp, AccountName, InitiatingProcessFileName, ProcessCommandLine, DeviceId, ReportId
| sort by Timestamp desc

Explanation

This KQL (Kusto Query Language) query is designed to detect potential obfuscation techniques used in PowerShell and Bash scripts, with a primary focus on PowerShell. Here's a simplified breakdown of what the query does:

  1. Source Table: It starts by looking at the DeviceProcessEvents table, which contains information about processes running on devices.

  2. Obfuscation Detection: The query filters for specific patterns in the ProcessCommandLine field that are indicative of obfuscation techniques:

    • It checks for concatenation patterns like 'A'+'B' or "A"+"B", where strings are split and joined together, which is a common obfuscation method.
    • It also looks for the use of the .Replace method, which can be used to alter strings in a way that hides the true intent of the script.

  3. Data Projection: After identifying potential obfuscation, the query selects specific columns to display: Timestamp, AccountName, InitiatingProcessFileName, ProcessCommandLine, DeviceId, and ReportId.

  4. Sorting: Finally, the results are sorted by Timestamp in descending order, so the most recent events appear first.

The query is intended to be a starting point for detecting obfuscation and may need to be adjusted to fit specific environments. The author also invites feedback or questions via email.

Details

Steven Lim profile picture

Steven Lim

Released: June 25, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampAccountNameInitiatingProcessFileNameProcessCommandLineDeviceIdReportId

Operators

DeviceProcessEventswherematches regexorprojectsort by

Actions