The hunt hypothesis detects potential Snip3 remote access trojan activity through the use of encoded PowerShell structures, which are commonly used by the malware family to evade basic detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Snip3 infections before they establish persistent access or exfiltrate data.
KQL Query
DeviceFileEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine has_all ("IEX","Text.Encoding","UTF8.GetString(@")
| where InitiatingProcessCommandLine has_any ("Unrestricted","Hidden")
id: c85c5b11-a5b9-480d-b9cf-79ba2289f770
name: snip3-encoded-powershell-structure
description: |
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
The following query looks for the method that Snip3 malware use to obfuscate PowerShell commands with UTF8 encoding. This technique is intended to evade detection from security products, and avoids the more standard switches used for encoding in malware such as Emotet.
At present, this method of encoding is much more rare, being seen largely with loader installation of RevengeRAT, AsyncRAT and other RATs used in campaigns targeting the aviation industry.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Defense evasion
query: |
DeviceFileEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine has_all ("IEX","Text.Encoding","UTF8.GetString(@")
| where InitiatingProcessCommandLine has_any ("Unrestricted","Hidden")
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate PowerShell Script Using Snip3 Encoding
Description: A system administrator uses a legitimate PowerShell script that is encoded using Snip3 encoding for obfuscation purposes, such as in a security training or red team simulation.
Filter/Exclusion: process.parent_process == "powershell.exe" && process.command_line contains "security-training" or "redteam"
Scenario: Scheduled Job Running Snip3-Encoded Script
Description: A scheduled job runs a Snip3-encoded script as part of a routine system maintenance task, such as log rotation or configuration backup.
Filter/Exclusion: process.parent_process == "schtasks.exe" && process.command_line contains "log-rotation" or "backup"
Scenario: Admin Task Using Snip3 for Code Obfuscation
Description: An administrator uses Snip3 encoding to obfuscate a PowerShell script for secure deployment, such as in a Just-In-Time (JIT) deployment scenario.
Filter/Exclusion: process.parent_process == "powershell.exe" && process.command_line contains "JIT" or "secure-deploy"
Scenario: Snip3-Encoded Script Used in a Security Tool
Description: A security tool or SIEM integration script uses Snip3 encoding to bypass certain parsing mechanisms, such as in a custom log parser or data ingestion script.
Filter/Exclusion: process.parent_process == "logparser.exe" or "siem-ingest.exe" && process.command_line contains "log-parser" or "siem"
Scenario: Snip3-Encoded Script in a DevOps Pipeline
Description: A DevOps pipeline runs a Snip3-encoded PowerShell script as part of a CI/CD process, such as during deployment or configuration management.
Filter/Exclusion: `