Malicious PowerShell Process With Obfuscation Techniques
This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.
This content is not mapped to any local saved search. Add mapping
Malicious PowerShell Process With Obfuscation Techniques Help
This search looks for PowerShell processes that are passing command-line arguments with unusual characters (backticks and carets) that are PowerShell specific escape characters. Attackers use this obfuscation technique since it does not affect the functionality of PowerShell and it will bypass standard security controls that look for straight up malicious strings and commands. The search counts the occurrence of these obfuscation characters and lists out destination IPs running these PowerShell commands.