-
Notifications
You must be signed in to change notification settings - Fork 382
Expand file tree
/
Copy pathDevice-DetectEncodedPowershellandDecode.kql
More file actions
25 lines (23 loc) · 1.21 KB
/
Device-DetectEncodedPowershellandDecode.kql
File metadata and controls
25 lines (23 loc) · 1.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
//Finds encoded PowerShell commands and then decodes the encoded string
//Data connector required for this query - M365 Defender - Device* tables
//Query modified from this post - https://techcommunity.microsoft.com/t5/microsoft-sentinel/finding-base64-encoded-commands/m-p/1891876
DeviceProcessEvents
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine contains "-enc"
or ProcessCommandLine contains "-encodedcommand"
or InitiatingProcessCommandLine contains "-enc"
or InitiatingProcessCommandLine contains "-encodedcommand"
//Extract encoded command using regex
//This query will only return results when the command can be matched via regex and decoded, if you run only the above lines it will return all encoded commands without attempting to match and decode
| extend EncodedCommand = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| where EncodedCommand != ""
| extend DecodedCommand = base64_decode_tostring(EncodedCommand)
| where DecodedCommand != ""
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
ProcessCommandLine,
EncodedCommand,
DecodedCommand