Detection rules › Splunk
Encoded Powershell Command (PowerShell)
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Encoded commands could be a way for an attacker to obfuscate malicious scripts they are executing on the victim machine
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Stealth | T1027 Obfuscated Files or Information |
References
- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/?utm_campaign=Threat%20Report%20Newsletter&utm_medium=email&_hsmi=203254280&_hsenc=p2ANqtz-_lmhDqWF4dK1aEuVSrgJUOHdLMvJ7ORkr-vdksakqAPIxGFhGLMHMGAUiX4y9HTdUyzYWBQlJ
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '1001.1001'
title: Encoded Powershell Command
description: 'PowerShell is a powerful interactive command-line interface and scripting
environment included in the Windows operating system. Adversaries can use PowerShell
to perform a number of actions, including discovery of information and execution
of code. Encoded commands could be a way for an attacker to obfuscate malicious
scripts they are executing on the victim machine. -- Threat Actor Association: Actinium/Gamaredon/Primitive
Bear, APT28 (aka.Fancy Bear, Fighting Ursa, Forest Blizzard, Pawn Storm, TA422,
STRONTIUM), APT29/Nobelium, APT35/Phosphorus/Magic Hound, BlackByte, DarkSide, BlackMatter,
FIN7, Memento Team, MuddyWater, Turla (akaSecret Blizzard, KRYPTON, and UAC-0003),
Vice Society, Volt Typhoon - Software Attribution: ALPHV/BlackCat, Bazarloader,
Black Basta, Conti, Emotet, LV, MirrorBlast, Prestige, PYSA/Mespinoza, Ransom Cartel,
TargetCompany, TrickBot, XingLocker, Yellow Cocaktoo/Jupiter Infostealer, WhisperGate
- #TrendingThreat #Russia #Ukraine - Atomics T1027 Test #2 Atomics T1027 Test #3'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"EventID>4103<" OR TERM(EventCode=4104) OR "EventID>4104<") (("-e" OR "-en" OR "-ec"
OR "-enco" OR "-encodedcommand" OR "-encod" OR "-encode" OR "-encoded" OR "-encodedc*")
OR ("/e" OR "/en" OR "/ec" OR "/enco" OR "/encodedcommand" OR "/encod" OR "/encode"
OR "/encoded" OR "/encodedc*") OR "frombase64string") | rex field=Message "(?i)powershell.exe\"?(?<trun_cmd>.{60})"
| regex process="(?i)(powershell.*\s+(\-|\/)(e|en|ec|enc|enco|encod|encode|ecode[dcoman]+)\s+\S+)|frombase64string"
| table _time, host, user process, process_*, signature_id | bin span=1s | stats
values(*) as * by _time, host '
techniques:
- defense-evasion:obfuscated files or information
- execution:command and scripting interpreter:powershell
technique_id:
- T1027
- T1059.001
data_category:
- PowerShell logs
- Process command-line parameters
references:
- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/?utm_campaign=Threat%20Report%20Newsletter&utm_medium=email&_hsmi=203254280&_hsenc=p2ANqtz-_lmhDqWF4dK1aEuVSrgJUOHdLMvJ7ORkr-vdksakqAPIxGFhGLMHMGAUiX4y9HTdUyzYWBQlJ
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "EventID>4103<" OR TERM(EventCode=4104) OR "EventID>4104<") (("-e" OR "-en" OR "-ec" OR "-enco" OR "-encodedcommand" OR "-encod" OR "-encode" OR "-encoded" OR "-encodedc*") OR ("/e" OR "/en" OR "/ec" OR "/enco" OR "/encodedcommand" OR "/encod" OR "/encode" OR "/encoded" OR "/encodedc*") OR "frombase64string")
Stage 2: rex
| rex field=Message "(?i)powershell.exe\"?(?<trun_cmd>.{60})"
Stage 3: regex
| regex process="(?i)(powershell.*\s+(\-|\/)(e|en|ec|enc|enco|encod|encode|ecode[dcoman]+)\s+\S+)|frombase64string"
Stage 4: table
| table _time, host, user process, process_*, signature_id
Stage 5: bucket
| bin span=1s
Stage 6: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "EventID>4103<" |
| 1 | TERM |
| 1 | "EventID>4104<" |
| 1 | "-e" |
| 1 | "-en" |
| 1 | "-ec" |
| 1 | "-enco" |
| 1 | "-encodedcommand" |
| 1 | "-encod" |
| 1 | "-encode" |
| 1 | "-encoded" |
| 1 | "-encodedc*" |
| 1 | "/e" |
| 1 | "/en" |
| 1 | "/ec" |
| 1 | "/enco" |
| 1 | "/encodedcommand" |
| 1 | "/encod" |
| 1 | "/encode" |
| 1 | "/encoded" |
| 1 | "/encodedc*" |
| 1 | "frombase64string" |