cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Claim your free VMworld 2020 ticket now for a completely digital experience to learn about how VMware Carbon Black can protect you from sophisticated threats.

Malicious Powershell

Description: Detecting malicious powershell.

What The Data Shows: Looking for powershell arguments that can be linked to malicious executions.

SQL: 

SELECT *
FROM processes
WHERE cmdline LIKE "%enc%" 
AND cmdline LIKE "%IEX%" 
AND cmdline LIKE "%web%" 
AND name = “powershell.exe”

 

 

0 Votes
3 Comments
Community Manager
Community Manager
Status changed to: Approved
 
New Contributor

This script is using the right and left double quotation mark characters instead of the quotation mark character. If copied and pasted, the script won't run.

The amended version is:

SELECT *
FROM processes
WHERE cmdline LIKE "%enc%"
AND cmdline LIKE "%IEX%"
AND cmdline LIKE "%web%"
AND name = "powershell.exe"
Carbon Black Employee

@hardcoded Thanks for catching that and posting a fix! I did fix the original too.