Powershell Command Length Anomaly Detection
This query establishes a 7-day baseline of average PowerShell command lengths for each host. It then compares this baseline to the average command length of the last 24 hours. The query identifies hosts with a significant percentage increase in command length, which can be an indicator for obfuscation, fileless execution, or other malicious activities associated with "Living off the Land" techniques.
EDRdetectionT1059.001T1027.010
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
#event_simpleName=ProcessRollup2
| ImageFileName=/\\(powershell(_ise)?|pwsh)\.exe/i
| CommandLength := length("CommandLine") | CommandLength>0
| aid=?AID
// Classify Data into Historical and LastDay
| case {
test(@timestamp < (end() - duration(7d))) | DataSet:="Historical";
test(@timestamp > (end() - duration(1d))) | DataSet:="LastDay";
*
}
// Calculate Average Command Length
| groupBy([DataSet, aid], function=avg(CommandLength))
| case {
DataSet="Historical" | rename(field="_avg", as="historicalAvg");
DataSet="LastDay" | rename(field="_avg", as="todaysAvg");
*
}
// Aggregate Averages
| groupBy([aid], function=[avg("historicalAvg", as=historicalAvg), avg("todaysAvg", as=todaysAvg)])
// Calculate Percentage Increase
| PercentIncrease := (todaysAvg - historicalAvg) / historicalAvg * 100
| format("%d", field=PercentIncrease, as=PercentIncrease)
| format(format="%.2f", field=[historicalAvg], as=historicalAvg)
// Filter and Sort Results
| PercentIncrease > 0
| sort(PercentIncrease, limit=10000)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.