Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where can I find powershell commands?

Pundittech
Loves-to-Learn Lots
‎03-13-2023 05:17 PM

G'day,

Can someone please help me to understand how I can find the powershell commands (if any) an adversary has run on the system through Splunk data? I have all the windows security and powershell logs available. Just not sure how to do up a query that would not just find but also list the full  ps command when it finds one.

Danke!

Tags (1)
0 Karma
Reply

Pundittech
Loves-to-Learn Lots
‎03-13-2023 07:31 PM

So if i ran this command:

(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*") 
| eval command_hash=md5(CommandLine) 
| lookup CommandLine_whitelist command_hash OUTPUTNEW command_hash  AS isFound 
| where isnull(command_hash)

where would i be putting the CommandLine_whitelist file? Which location/tab etc? 

I understand that CommandLine_whitelist will contain (as per that eg above):

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -noprofile -encodedCommand RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAIAAtAGEAbgBkACAAJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAC4AbABlAG4AZwB0AGgAIAAtAGwAdAAgADMAOQAgAC0AYQBuAGQAIAAkAF8ALgBVAG4AaQBuAHMAdABhAGwAbABTAHQAcgBpAG4AZwAgAC0AbABpAGsAZQAgACIAKgBtAHMAaQBlAHgAZQBjACoAIgB9ACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUALAAgAFAAUwBDAGgAaQBsAGQATgBhAG0AZQAsACAARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuACwAIABJAG4AcwB0AGEAbABsAEQAYQB0AGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEAAewBOAGEAbQBlAD0AJwBBAHAAcAAgAE4AYQBtAGUAJwA7AEUAeAA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIFAAcgBvAGQAdQBjAHQAIABDAG8AZABlABggOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBQAFMAQwBoAGkAbABkAE4AYQBtAGUAfQB9ACwAYAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABAAHsATgBhAG0AZQA9ABggVgBlAHIAcwBpAG8AbgAZIDsARQB4AHAAcgBlAHMAcwBpAG8AbgA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIEkAbgBzAHQAYQBsAGwAZQBkACAATwBuABkgOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBJAG4AcwB0AGEAbABsAEQAYQB0AGUAfQB9ACAAfAAgAFMAbwByAHQAIAAnAEEAcABwACAATgBhAG0AZQAnAA== -inputFormat xml -outputFormat xml

 Danke!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2023 08:20 PM

What is your goal?

Perhaps you can state what you are trying to achieve here - as it stands your SPL will not do what it appears you are trying to do, i.e. find non-whitelisted command hashes.

As far as lookups are concerned - go to Settings->Lookups and you can upload CSV lookup files. Note that a lookup definition is an abstraction on top of the file. Without the .csv in your example, it appears you are trying to use a definition - also accessed by the same menu option.

 

 

 

0 Karma
Reply

Pundittech
Loves-to-Learn Lots
‎03-13-2023 08:40 PM

As per my initial question...

Trying to find any powershell commands that were run on any system in the splunk data. If the command is found, show the complete command.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-14-2023 02:26 PM

OK, so then from that command you tried to run, what did you learn about your data. Did it find anything? If you run the first line of that query, did it give you any results.

Take a look in the left hand column of the Splunk display if you run the search in verbose mode. What fields can you see, what information can you learn from that?

In order to be able to help you, we need to understand what you are trying, what results you are getting and what your data looks like - at the moment, I am working in the dark.

Can you share more about any searches you have run so far and what results you have from those searches.

 

0 Karma
Reply

Pundittech
Loves-to-Learn Lots
‎03-13-2023 05:48 PM

Thank you. I found that indeed. However, thought asking here might be quicker than scrolling through so much of that stuff 🙂

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2023 07:13 PM

What have you tried so far? A quick search in answers gives this example which is searching for powershell

https://community.splunk.com/t5/Splunk-Enterprise-Security/Inputlookup-Not-matching-Data/m-p/377433

so much will depend on what you are trying to do and what your data looks like in your environment.

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2023 05:46 PM

A good place to look for example queries is in the Splunk research docs

https://research.splunk.com/detections/

You can search for powershell and there are lots of examples that may be related to your use case.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top