TTP Detection Rule: PowerShell -encodedcommand switch
Ttp T1027 010 Powershell Encoded Command
Query
//this will be noisy and no good for a SIEM analytic
DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-e","-en","-enc","-enco","-encod","-encode","-encoded","-encodedc","-encodedco","-encodedcom","-encodedcomm","-encodedcomma","-encodedcomman","-encodedcommand")About this query
Explanation
This query is designed to detect the use of PowerShell's -encodedcommand switch, which is often used by attackers to obfuscate commands and evade security defenses. The query looks for any instances where the PowerShell executable (powershell.exe) is run with command-line arguments that match various forms of the -encodedcommand switch. This includes both the full switch and its abbreviated forms, such as -e, -en, -enc, and so on.
The query is applied to a dataset of device process events, specifically looking for processes where the command line includes any of these variations. The purpose is to identify potentially malicious activity associated with known threat actors like FIN7, ZLoader, and FakeBat, who have been observed using this technique.
However, the note in the query comments suggests that this approach might generate a lot of noise, meaning it could produce many false positives and may not be suitable for use in a Security Information and Event Management (SIEM) system without further refinement.
