apt ta17 293a ps | SOC Hunt Feed

Hunt Hypothesis

Adversaries may be using PowerShell to execute malicious code with elevated privileges, leveraging common attack patterns associated with APT groups. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential advanced persistent threats and mitigate lateral movement or persistence mechanisms.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where ProcessCommandLine =~ "ps.exe -accepteula"
| top 100 by Timestamp desc

Analytic Rule Definition

id: 6ee810f8-aeca-45c7-81d8-5646ed558961
name: apt ta17 293a ps
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where ProcessCommandLine =~ "ps.exe -accepteula"
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/apt ta17 293a ps.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is running a maintenance script that includes PowerShell commands similar to the detection logic.
Filter/Exclusion: Check for ProcessName = schtasks.exe and CommandLine containing known maintenance script paths (e.g., C:\Windows\System32\sched.exe).
Scenario: Admin PowerShell Script Execution
Description: An administrator is running a PowerShell script using powershell.exe to perform routine system configuration or patching, which includes commands that match the detection logic.
Filter/Exclusion: Filter by ProcessName = powershell.exe and check for known admin scripts or paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Logon Script Execution
Description: A user logon script is executing PowerShell commands that are similar to the detection logic, such as user environment setup or group policy processing.
Filter/Exclusion: Filter by ProcessName = powershell.exe and check for logon script paths (e.g., C:\Windows\System32\logonscript.ps1).
Scenario: Windows Update or Patching Job
Description: A Windows Update or patching job is running via Task Scheduler or Group Policy, which may include PowerShell commands that match the detection logic.
Filter/Exclusion: Filter by ProcessName = wusa.exe or ProcessName = powershell.exe and check for known update-related command lines (e.g., C:\Windows\System32\wusa.exe).
Scenario: PowerShell Module Load or Configuration Task
Description: A legitimate PowerShell module is being loaded or configured, which may involve commands that resemble the detection logic.
*Filter/