Techniques
Sample rules
Powershell Processing Stream Of Data
- source: splunk
- technicques:
- T1059
- T1059.001
Description
The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText = "*IO.StreamReader*" OR ScriptBlockText = "*]::Decompress*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_processing_stream_of_data_filter`