44 строки
1.9 KiB
YAML
44 строки
1.9 KiB
YAML
id: 4e78daf1-8bba-4b5d-8a8b-c75fe9bbc2d9
|
|
name: New PowerShell scripts encoded on the commandline
|
|
description: |
|
|
'Identify and decode new encoded powershell scripts this week versus previous 14 days'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
- CommandAndControl
|
|
query: |
|
|
|
|
let starttime = 21d;
|
|
let midtime = 14d;
|
|
let endtime = 7d;
|
|
let ProcessCreationEvents=() {
|
|
let processEvents=SecurityEvent
|
|
| where EventID==4688
|
|
| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,AccountDomain=SubjectDomainName,
|
|
FileName=tostring(split(NewProcessName, '\\')[-1]),
|
|
ProcessCommandLine = CommandLine,
|
|
InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
|
|
processEvents};
|
|
let encodedPSScripts =
|
|
ProcessCreationEvents
|
|
| where TimeGenerated >= ago(midtime)
|
|
| where FileName =~ "powershell.exe"
|
|
| where ProcessCommandLine contains "-encodedCommand";
|
|
encodedPSScripts
|
|
| where TimeGenerated > ago(endtime)
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by ProcessCommandLine
|
|
| parse ProcessCommandLine with * "-EncodedCommand " encodedCommand
|
|
| project StartTimeUtc, EndTimeUtc, decodedCommand=base64_decodestring(substring(encodedCommand, 0,
|
|
strlen(encodedCommand) - (strlen(encodedCommand) %8))), encodedCommand
|
|
| join kind=anti (encodedPSScripts
|
|
| where TimeGenerated between(ago(starttime)..ago(endtime))
|
|
| summarize count() by ProcessCommandLine
|
|
| parse ProcessCommandLine with * "-EncodedCommand " encodedCommand
|
|
| project decodedCommand=base64_decodestring(substring(encodedCommand, 0,
|
|
strlen(encodedCommand) - (strlen(encodedCommand) %8))), encodedCommand
|
|
) on encodedCommand, decodedCommand
|
|
| extend timestamp = StartTimeUtc
|
|
|