Techniques
Sample rules
Malicious PowerShell Process With Obfuscation Techniques
- source: splunk
- technicques:
- T1059
- T1059.001
Description
This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "'"))-1)
| `malicious_powershell_process_with_obfuscation_techniques_filter`
| search num_obfuscation > 10