Powershell-activity-after-email-from-malicious-sender detects potential PowerShell-based malware execution triggered by emails from known malicious senders, indicating possible initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before further damage occurs.
KQL Query
//Find PowerShell activities right after email was received from malicious sender
let x=EmailEvents
| where SenderFromAddress =~ "MaliciousSender@example.com"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
x
| join (
DeviceProcessEvents
| where FileName =~ "powershell.exe"
//| where InitiatingProcessParentFileName =~ "outlook.exe"
| project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine
) on AccountName
| where (TimeProc - TimeEmail) between (0min.. 30min)
id: 0605673c-8363-40b3-bbe2-ac1a2c17d116
name: powershell-activity-after-email-from-malicious-sender
description: |
Malicious emails often contain documents and other specially crafted attachments that run PowerShell commands to deliver additional payloads. If you are aware of emails coming from a known malicious sender, you can use this query to list and review PowerShell activities that occurred within 30 minutes after an email was received from the sender .
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- DeviceProcessEvents
tactics:
- Execution
query: |
//Find PowerShell activities right after email was received from malicious sender
let x=EmailEvents
| where SenderFromAddress =~ "MaliciousSender@example.com"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
x
| join (
DeviceProcessEvents
| where FileName =~ "powershell.exe"
//| where InitiatingProcessParentFileName =~ "outlook.exe"
| project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine
) on AccountName
| where (TimeProc - TimeEmail) between (0min.. 30min)
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses PowerShell to automate the deployment of a software update via PSake or Pester scripts.
Filter/Exclusion: Exclude PowerShell scripts executed from known administrative tools or scheduled tasks with a specific ExecutionPolicy set to RemoteSigned or AllSigned.
Scenario: A user receives a legitimate email from a partner company (e.g., sales@partner.com) containing a .ps1 file that is part of a shared script repository (e.g., GitHub or OneDrive).
Filter/Exclusion: Exclude PowerShell scripts originating from trusted email domains or known shared script repositories.
Scenario: A scheduled job runs a PowerShell script to generate reports using Export-Csv or Out-GridView for internal reporting purposes.
Filter/Exclusion: Exclude PowerShell scripts executed by scheduled tasks with a known job name or associated with a specific service account.
Scenario: An IT support team uses PowerShell to remotely manage endpoints via Invoke-Command or Enter-PSSession as part of routine maintenance.
Filter/Exclusion: Exclude PowerShell activity initiated from known IT management tools or executed by service accounts with elevated privileges.
Scenario: A developer uses PowerShell to run unit tests via Pester or PSake as part of a CI/CD pipeline (e.g., Azure DevOps or Jenkins).
Filter/Exclusion: Exclude PowerShell scripts executed from CI/CD pipelines or integrated development environments (IDEs) like Visual Studio or VS Code.