Detect PoWERsheLL mixed case obfuscation using Splunk
Mixed case obfuscation is a good technique if security appliances are case sensitive and a wash if they aren't. But looking at "PoWERsheLL -e" you know its bad so lets do a quick signature for the case obfuscation to add to our other powershell detections. Of course this ONLY detects the mixed case but this is a valid TTP as it is seen in the wild. First you will need to profile the existing common case occurrences for your network. Turned out I see just a couple of common ones which will become our filter. Profile search index=edr powershell command_line=*powershell* | rex field=command_line "(?i)(? powershell)" | stats count by case_sensitive_string So (?i) to do a case insensitive match for powershell and stats does its normal case sensitive aggregation. Hopefully at this point you have a small filter list. Now for the real search index=edr powershell command_line=*powershell* | regex command_line!="(POWERSHELL|powershell) | table comm...