Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Looks for valid variations of the -EncodedCommand parameter. Commonly used to encode or obfuscate commands, and not all occurrences are malicious.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Cyborg Security HUNTER |
| ID | d2d3bbc2-6e57-4043-ab24-988a6a6c88db |
| Tactics | DefenseEvasion, Execution |
| Techniques | T1027, T1059.001 |
| Required Connectors | SecurityEvent |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
SecurityEvent |
CommandLine matchesregex "-[Ee^]{1,2}[NnCcOoDdEeMmAaPpHh^]+\s+"<br>NewProcessName endswith "powershell.exe"` |
✓ | ✓ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊