52 строки
2.3 KiB
YAML
52 строки
2.3 KiB
YAML
id: 4e78daf1-8bba-4b5d-8a8b-c75fe9bbc2d9
|
|
name: New PowerShell scripts encoded on the commandline
|
|
description: |
|
|
'Identify and decode new encoded powershell scripts this week versus previous 14 days'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
- CommandAndControl
|
|
query: |
|
|
|
|
let starttime = todatetime('{{StartTimeISO}}');
|
|
let endtime = todatetime('{{EndTimeISO}}');
|
|
let lookback = totimespan((endtime-starttime)*3);
|
|
let midlookback = totimespan((endtime-starttime)*2);
|
|
let ProcessCreationEvents=() {
|
|
let processEvents=SecurityEvent
|
|
| where TimeGenerated between(ago(lookback)..endtime)
|
|
| where EventID==4688
|
|
| where NewProcessName has_any ("powershell.exe","pwsh.exe")
|
|
| project TimeGenerated, Computer, Account, NewProcessName, FileName=tostring(split(NewProcessName, '\\')[-1]), ProcessCommandLine = CommandLine, ParentProcessName;
|
|
processEvents};
|
|
let encodedPSScripts =
|
|
ProcessCreationEvents
|
|
| where TimeGenerated between(ago(midlookback)..starttime)
|
|
| where FileName in~ ("powershell.exe","pwsh.exe")
|
|
| where ProcessCommandLine has "-encodedCommand";
|
|
encodedPSScripts
|
|
| where TimeGenerated between(starttime..endtime)
|
|
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Computer, Account, NewProcessName, FileName, ProcessCommandLine, ParentProcessName
|
|
| parse ProcessCommandLine with * "-EncodedCommand " encodedCommand
|
|
| extend decodedCommand = base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))
|
|
| join kind=leftanti (
|
|
encodedPSScripts
|
|
| where TimeGenerated between(ago(lookback)..starttime)
|
|
| summarize count() by ProcessCommandLine
|
|
| parse ProcessCommandLine with * "-EncodedCommand " encodedCommand
|
|
| extend decodedCommand = base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))
|
|
) on encodedCommand, decodedCommand
|
|
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|