malicious_powershell_process_encoded_command.yml

asset_type: Endpoint
confidence: medium
creation_date: '2016-09-18'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for PowerShell processes that have encoded the script
  within the command-line. Malware has been seen using this parameter, as it obfuscates
  the code and makes it relatively easy to pass a script on the command-line.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, user, process_name
        rule_description: The system $dest$ executed a PowerShell process that has
          an encoded command on the command-line
        rule_title: PowerShell process with an encoded command detected on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 20
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.process) as process
        values(Processes.parent_process) as parent_process min(_time) as firstTime
        max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe
        by Processes.user Processes.process_name Processes.parent_process_name Processes.dest  |
        `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |
        search process=*-EncodedCommand* OR  process=*-enc*'
      suppress:
        suppress_fields: dest, user, process_name
        suppress_period: 14400s
eli5: This search looks for PowerShell processes that are passing encoded commands
  on the command-line. The flags "-EncodedCommand" and "-enc" are two different possible
  flags that can be used to pass base64 encoded commands to PowerShell.  This search
  will return the host, the user the process ran under, the process and it's command-line
  arguments, the number of times it's seen this process, and the first and last times
  it saw this process.
entities:
  - dest
  - process_name
  - user
how_to_implement: You must be ingesting data that records process activity from your
  hosts to populate the Endpoint data model in the Processes node. You must also be
  ingesting logs with both the process name and command line from your endpoints.
  The command-line arguments are mapped to the "process" field in the Endpoint data
  model.
id: c4db14d9-7909-48b4-a054-aa14d89dbb19
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: System administrators may use this option, but it's not common.
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 3
    - CIS 7
    - CIS 8
  kill_chain_phases:
    - Command and Control
    - Actions on Objectives
  mitre_attack:
    - Execution
    - PowerShell
    - Scripting
  nist:
    - PR.PT
    - DE.CM
    - PR.IP
modification_date: '2018-12-03'
name: Malicious PowerShell Process - Encoded Command
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '3.0'