Advanced Powershell Hunting with the Splunk Decrypt App
If you already have powershell event logs in Splunk and want to decode the base64, this may help. This tutorial builds on the work of others with some new cleverness to provide an efficient decoding of powershell commands for threat hunting. After adding the Splunk Decrypt addon #2655 to decode powershell encoded scripts I ran into a problem. Namely that the app decodes the powershell fine but removing the null padding (seen as periods) took me a while to figure out. TL;DR Here is the sig index=edr powershell.exe process=powershell.exe command_line!="" ( command_line="* -en*" OR command_line="* -e *" ) NOT ( -Enable* OR -Encoding ) | rex field=command_line "(?i)-en?c?o?d?e?d?c?o?m?m?a?n?d?\s('|\")?(? [\w/+]{16,3920}\=?\=?)('|\")?" | decrypt field=base64_command atob hex emit('base64_decoded_hex') | rex mode=sed field=base64_decoded_hex "s/([0-9A-Fa-f]{2})00/%\1/g" | eval base64_decoded_command=urldec...