Description
This detection identifies the use of PowerShell with encoded commands (-EncodedCommand or -enc flags). Attackers often use encoded PowerShell commands to obfuscate their actions and evade detection. The encoding (usually base64) allows them to hide malicious code that might otherwise be caught by security controls. This technique is commonly used in various attack scenarios including initial access, execution, and lateral movement phases.
Detection Details
- Tool
- Splunk
- Category
- SIEM
- Severity
- High
- Status
- Active
Metadata
- ID
- SPLUNK-001
- Author
- Ahmed Al Balushi
- Last Updated
- 2023-11-15
MITRE ATT&CK Techniques
False Positives
- Legitimate administrative scripts using encoded commands
- Security tools that use PowerShell with encoded commands
- Software deployment systems using encoded PowerShell commands
Tool-Specific Rule Format
[PowerShell Encoded Command Execution]
search = index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 (EncodedCommand OR -enc) | table _time, host, user, Message
alert.severity = high
alert.suppress = false
alert.track = true
counttype = number of events
cron_schedule = */15 * * * *
description = Detects PowerShell execution with encoded commands, which is commonly used by attackers to obfuscate malicious code.
dispatch.earliest_time = -15m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
Query
index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 (EncodedCommand OR -enc) | table _time, host, user, MessageImplementation Notes
This rule should be implemented as a scheduled search in Splunk. The search looks for specific patterns in your log data. Consider tuning the search to exclude known legitimate activities in your environment. You may need to adjust the cron schedule and time window based on your log volume and performance considerations.
Alert Details
View Detection RuleWhy This Alert Fired
This alert was triggered by a Splunk detection rule that identified detects powershell execution with encoded commands, which is commonly used by attackers to obfuscate malicious code.
Investigation Steps
- Review the full event details in the SIEM platform
- Search for the full event using the query below:
index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 (EncodedCommand OR -enc) | table _time, host, user, Message
- Examine the context of the event, including user, host, and network information
- Look for unusual patterns or deviations from normal behavior
- Check if the activity is consistent with the user's role and typical activities
- Check for related events before and after the detection time
- Verify if the activity is expected for the user/system in question
- Correlate with other security events from the same source or target
True Positive Indicators
- Command contains suspicious encoded payloads
- Execution from temporary directories or unusual locations
- Activity from user accounts that don't typically use PowerShell
- Command execution outside of normal business hours
False Positive Indicators
- Legitimate administrative scripts using encoded commands
- Security tools that use PowerShell with encoded commands
- Software deployment systems using encoded PowerShell commands
Recommended Response Actions
This is a high-severity detection and requires immediate attention.
- Isolate affected systems from the network
- Capture forensic evidence before any remediation
- Reset credentials for any compromised accounts
- Block any identified malicious IPs/domains at the firewall
- Initiate incident response procedures
Documentation & Evidence Collection
- Document all investigation steps and findings in the case management system
- Capture screenshots of relevant events and timelines
- Export raw logs and preserve them as evidence
- Document any systems accessed and actions taken during investigation
- Record all remediation actions if a true positive is confirmed