Home
  •  

Security Monitoring: PowerShell used to Invoke an Encoded Command

Security.Monitoring.Event.InvokeEncodedCommand (Rule)

One way to get around PowerShell parsing issues is to encode a command to a Base64 string. An attacker can also use this to obscure what they are really doing. This may be normal, and it may be malicious. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details.

Element properties:

TargetMicrosoft.Windows.Server.OperatingSystem
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Security Monitoring: PowerShell used to Invoke an Encoded Command

One way to get around PowerShell parsing issues is to encode a command to a Base64 string. An attacker can also use this to obscure what they are really doing. This may be normal, and it may be malicious. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details.
Logging Computer: {0}

User Name: {1}


Process Name: {2}

Command Line: {3}

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource SecurityMonitoringMP.4688CommandAudit.DS Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Security.Monitoring.Event.InvokeEncodedCommand" Target="Windows!Microsoft.Windows.Server.OperatingSystem" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="SecurityMonitoringMP.4688CommandAudit.DS">

      <InternalOption1>-Enc</InternalOption1>

      <InternalOption2>.exe</InternalOption2>

      <OverrideableFilePath1>Thisisagenericvaluethatyoucanoverride</OverrideableFilePath1>

      <OverrideableFilePath2>Thisisagenericvaluethatyoucanoverride</OverrideableFilePath2>

      <Switch1>-EncodedCommand</Switch1>

      <Switch2>-Enc</Switch2>

      <Switch3>.exe</Switch3>

      <Switch4>.exe</Switch4>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Security.Monitoring.Event.InvokeEncodedCommand.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/LoggingComputer$</AlertParameter1>

        <AlertParameter2>$Data/UserName$</AlertParameter2>

        <AlertParameter3>$Data/Params/Param[6]$</AlertParameter3>

        <AlertParameter4>$Data/Params/Param[9]$</AlertParameter4>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10>Security Monitoring Credible Threats</Custom10>

    </WriteAction>

  </WriteActions>

</Rule>