these characters might be legitimately on the command-line, but it is not common.

Techniques

Sample rules

Malicious PowerShell Process With Obfuscation Techniques

source: splunk
technicques:
- T1059
- T1059.001

Description

This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "'"))-1) 
| `malicious_powershell_process_with_obfuscation_techniques_filter` 
| search num_obfuscation > 10