Skip to content

Latest commit

 

History

History
41 lines (31 loc) · 1.7 KB

ttp_t1027-010_powershellEncodedCommand.md

File metadata and controls

41 lines (31 loc) · 1.7 KB

TTP Detection Rule: PowerShell -encodedcommand switch

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1027.010 Obfuscated Files or Information: Command Obfuscation Command Obfuscation

Description

Detection opportunity 4: PowerShell -encodedcommand switch

We also observed at least one of these adversaries abusing the shortened -encoded PowerShell command switch to encode PowerShell commands. This is another common bit of tradecraft. The following should help detect and hunt for the behaviour.

Risk

FIN7, ZLoader, and FakeBat have been observed performing this behaviour in recent intrusions. Adversaries may encode commands to evade defenses.

Author

References

Defender XDR

//this will be noisy and no good for a SIEM analytic
DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-e","-en","-enc","-enco","-encod","-encode","-encoded","-encodedc","-encodedco","-encodedcom","-encodedcomm","-encodedcomma","-encodedcomman","-encodedcommand")

Sentinel

//this will be noisy and no good for a SIEM analytic
DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-e","-en","-enc","-enco","-encod","-encode","-encoded","-encodedc","-encodedco","-encodedcom","-encodedcomm","-encodedcomma","-encodedcomman","-encodedcommand")