Query Details

Suspicious Encoded Powershell

Query

let EncodedList = dynamic(['-encodedcommand', '-enc']); // -e and -en can also be added, be aware of FPs
let ReconVariables = dynamic(['Get-ADGroupMember', 'Get-ADComputer', 'Get-ADUser', 'Get-NetGPOGroup', 'net user', 'whoami', 'net group', 'hostname', 'netsh firewall', 'tasklist', 'arp', 'systeminfo']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| where DecodedCommandLineReplaceEmptyPlaces has_any (ReconVariables)
| project
     TimeGenerated,
     ActionType,
     DecodedCommandLineReplaceEmptyPlaces,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     DeviceName,
     AccountName,
     AccountDomain

About this query

Explanation

This query is designed to help identify and investigate suspicious use of encoded PowerShell commands on devices within a network. Here's a simple breakdown of what each step does:

Step 1: List Devices Executing Encoded PowerShell

  • Purpose: Identify devices that run encoded PowerShell commands, which might indicate suspicious activity.
  • How: The query checks for PowerShell commands that include specific encoding flags (like -encodedcommand or -enc) within the last 48 hours. It counts how many encoded commands each device has executed and lists them, sorted by the number of executions.

Step 2: Investigate Encoded PowerShell Commands

  • Purpose: Decode and examine the actual commands being run to determine if they are suspicious.
  • How: The query decodes the base64-encoded PowerShell commands and lists the unique commands executed by each device. This helps in understanding what actions were performed on the devices.

Step 3: Reconnaissance Activities

  • Purpose: Detect if any reconnaissance commands were executed in an encoded form.
  • How: The query looks for decoded commands that match known reconnaissance activities (like Get-ADUser, whoami, etc.). It lists details about these activities, such as the device name and account used.

Step 4: Encoded Downloads

  • Purpose: Identify potential malicious downloads or command-and-control (C2) traffic initiated via encoded PowerShell commands.
  • How: The query searches for decoded commands that involve downloading files or making web requests, which could indicate malicious activity. It provides details about these actions for further investigation.

Conclusion

If any suspicious or malicious activities are found, the query suggests using additional Digital Forensics and Incident Response (DFIR) queries to further investigate the incident.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

letdynamicagocontainsorhas_anyextendextractbase64_decode_tostringnotisemptysummarizecountbysortreplace_stringisnotemptymake_setarray_lengthproject

Actions

GitHub