Techniques
Sample rules
Powershell Using memory As Backing Store
- source: splunk
- technicques:
- T1059.001
- T1059
Description
The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream*
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_using_memory_as_backing_store_filter`