Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks for the method that Snip3 malware use to obfuscate PowerShell commands with UTF8 encoding. This technique is intended to evade detection from security products, and avoids the more standard switches used for encoding in malware such as Emotet. At present, this method of encoding is much more rare, b
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | c85c5b11-a5b9-480d-b9cf-79ba2289f770 |
| Tactics | Defense evasion |
| Required Connectors | MicrosoftThreatProtection |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Campaigns/snip3-encoded-powershell-structure.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊