powershell may used this function to store out object into memory.

t1059
t1059.001
endpoint
splunk

Techniques

T1059
T1059.001

Sample rules

Powershell Using memory As Backing Store

source: splunk
technicques:
- T1059.001
- T1059

Description

The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_using_memory_as_backing_store_filter`