Obfuscated Powershell Invocations
Defense Evasion
This topic is huge, but in this lab, I wanted to see if I could do a simple hunt for encoded powershell command invocations.
Defining the Hunt
I want to find processes with base64 encoded commandlines that may indicate obfuscated powershell invocations.
Data source: sysmon logs that provide insight into process creation events, that contains commandlines the process was started.
Execution
I had a sample of 27000 events that had a commandline logged, which I exported to a .csv file:
Since malicious encoded commands are usually lengthy, contiguous sequence of printable ASCII characters (including characters such as =,/,+), I decided to loop through the commandlines and only pull those that matched a simple regex ([A-Za-z0-9]){64,}
Full powershell one liner below:
Below are the results - note how out of 27000+ events, only a handful were returned, among which was one base64 encoded powershell commandline:
Since I am looking for malicious powershell invocations, I could adjust the query as follows to remove processes that do not contain powershell.exe
mentioned in them:
Bingo - only one result returned:
This type of hunting is interesting, so I will be coming back to explore this area further.
References
Last updated