Volver al hub

Detect and Decode Base64-Encoded PowerShell Commands

The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity.

EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read

Query

#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/.*\\powershell\.exe/
| CommandLine=/\s+\-(e|encoded|encodedcommand|enc)\s+/i
| CommandLine=/\-(?<psEncFlag>(e|encoded|encodedcommand|enc))\s+/i
| length("CommandLine", as="cmdLength")
| groupby([psEncFlag, cmdLength, CommandLine], function=stats([count(aid, distinct=true, as="uniqueEndpointCount"), count(aid, as="executionCount")]), limit=max)
| EncodedString := splitString(field=CommandLine, by="-e* ", index=1)
| CmdLinePrefix := splitString(field=CommandLine, by="-e* ", index=0)
| DecodedString := base64Decode(EncodedString, charset="UTF-16LE")
// Look for encoded messages in the decoded message and decode those too.
| case {
  DecodedString = /encoded/i
  | SubEncodedString := splitString(field=DecodedString, by="-EncodedCommand ", index=1)
  | SubCmdLinePrefix := splitString(field=EncodedString, by="-EncodedCommand ", index=0)
  | SubDecodedString := base64Decode(SubEncodedString, charset="UTF-16LE");
  *
}
| table([executionCount, uniqueEndpoitnCount, cmdLength, DecodedString, CommandLine])
| sort(executionCount, order=desc)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.