0

Regarding:

==========================

McAfee's Rule Identifier 131328 is described in KB82925 on How to identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event:

Detect use of long -encodedcommand powershell

Alerts on variations of the encodedcommand [base64] powershell usage

WMI provides a way of executing code or moving laterally in an environment. Some legitimate software may use this way, so this rule should be behavior in your environment

It may or may not be harmful. That's why it's suspicious. Further investigation would require catching and decoding the base64 encoded PowerShell command and analyzing whether it's legitimate use or not.

==========================

-->>

So I need to search for bas64 related strings on my whole Windows 10 computer.

How can I do this from ex.: powershell?

The strings that I am searching for: 

ToBase64String
FromBase64String
Improve this question
3
  • It seems you are misinterpreting the above. You do not necessarily need powershell. It is powershell code that needs to be decyphered, which means you are only looking for .ps1 files. You can do a massive search for .ps1 files and then search these files for that text. If you have no .ps1 files at all, there already is no problem.
    – LPChip
    Commented Jun 7, 2019 at 7:16
  • @LPChip but that PowerShell command could as well be embedded in a batch or other script file. Also if a command already is encoded you'd to look for powershell.exe -encodedCommand $encodedCommand or similar.
    – LotPings
    Commented Jun 7, 2019 at 11:58
  • my original question is just to how to search for a given string on C:\ drive. :) but thanks for any interesting infos :O
    – niving6473
    Commented Jun 7, 2019 at 13:30

1 Answer 1

Reset to default
0

Just use the Select-String cmdlet. (of course this will only work on plain text file and search all of the C-drive will take a very, very long time, depending n the drive size and what's on it). You will get a bunch of read / access denied errors, in certain location, as well, even if you do this as admin.

# Get parameters, examples, full and Online help for a cmdlet or function
# Get a list of all functions for the specified name
Get-Command -Name '*String*' -CommandType Function | 
Out-GridView -PassThru -Title 'Available named functions'

# Get a list of all commandlets for the specified name
Get-Command -Name '*String**'  -CommandType Cmdlet | 
Out-GridView -PassThru -Title 'Available named cmdlet'

# get function / cmdlet details
Get-Command -Name Select-String -Syntax
(Get-Command -Name Select-String).Parameters.Keys

Get-help -Name Select-String -Full
Get-help -Name Select-String -Online
Get-help -Name Select-String -Examples


"Hello","HELLO" | Select-String -Pattern "HELLO" -CaseSensitive
Select-String -Path "*.xml" -Pattern "the the"
Select-String -Path "$pshome\en-US\*.txt" -Pattern "@"
function search-help
$Events = Get-EventLog -LogName application -Newest 100
$Events | Select-String -InputObject {$_.message} -Pattern "failed"
Get-ChildItem c:\windows\system32\*.txt -Recurse | Select-String -Pattern "Microsoft" -CaseSensitive
Select-String -Path "process.txt" -Pattern "idle, svchost" -NotMatch
$F = Select-String -Path "audit.log" -Pattern "logon failed" -Context 2, 3
$F.count
($F)[0].context | Format-List
$A = Get-ChildItem $pshome\en-us\about*.help.txt | Select-String -Pattern "transcript"
$B = Get-ChildItem $pshome\en-us\about*.help.txt | Select-String -Pattern "transcript" -AllMatches
$A
$B
$A.matches
$B.matches
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .