Approved

Threat Hunting - Powershell Script Blocks

With the Sophos process journals you can see loads of information about the execution of processes as well as their command lines, but you cannot see the session data used directly in powershell, since it is running within the same process. Thankfully "we have a journal for that".

There are plenty of improvements that could be made to this query, so please feel free to update it with more refinements.

-- Powershell Script Block
-- List the powershell scripts and commands that have been run directly into the terminal. Useful for seeing commands like Invoke-WebRequest and PSSession commands.
-- name=startTime type=date variable=$$startTime$$
-- name=endTime type=date variable=$$endTime$$


SELECT
   *
FROM
   sophos_powershell_events spe
WHERE
   time > $$startTime$$ AND time < $$endTime$$
   AND script_text NOT LIKE 'Set-Location%'
   AND script_text NOT LIKE '%Set-StrictMode%'
   AND script_text NOT LIKE 'prompt'
   AND script_text NOT LIKE '%System.Management.ManagementDateTimeConverter%'
   AND script_text NOT LIKE '$this.Runspace%'
   -- the above NOT LIKES are to remove some of the noise within the powershell auditing.