Adversaries may use PowerShell cmdlets to execute malicious scripts or establish persistence, making this behavior indicative of potential compromise. SOC teams should proactively hunt for unusual or unexpected PowerShell command usage in Azure Sentinel to identify and mitigate early-stage threats.
KQL Query
let powershellCommandName = "Invoke-RickAscii";
DeviceEvents
| where ActionType == "PowerShellCommand"
// This filter improves query performance, as it avoids needing to parse Command from all rows and only then applying a filter
| where AdditionalFields contains powershellCommandName
// Extract the powershell command name from the Command field in the AdditionalFields JSON column
| project PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string)), InitiatingProcessCommandLine, InitiatingProcessParentFileName, Timestamp, DeviceId
// Do an exact case-insensitive match on the command name field
| where PowershellCommand =~ powershellCommandName
id: 261d966b-5c1a-4d28-b444-3a8caac6246e
name: PowershellCommand footprint
description: |
Find all machines running a given Powersehll cmdlet.
This covers all Powershell commands executed in the Powershell engine by any process.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let powershellCommandName = "Invoke-RickAscii";
DeviceEvents
| where ActionType == "PowerShellCommand"
// This filter improves query performance, as it avoids needing to parse Command from all rows and only then applying a filter
| where AdditionalFields contains powershellCommandName
// Extract the powershell command name from the Command field in the AdditionalFields JSON column
| project PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string)), InitiatingProcessCommandLine, InitiatingProcessParentFileName, Timestamp, DeviceId
// Do an exact case-insensitive match on the command name field
| where PowershellCommand =~ powershellCommandName
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: System Update via Group Policy
Description: A PowerShell cmdlet like Invoke-Command is used to deploy system updates across multiple machines using Group Policy.
Filter/Exclusion: Exclude processes with ProcessName containing gupdate or gpol or filter by CommandLine containing Invoke-Command -ComputerName with known update servers.
Scenario: Scheduled Job for Log Rotation
Description: A scheduled PowerShell job runs Clear-EventLog or Remove-Item to rotate or clear log files on a regular basis.
Filter/Exclusion: Exclude processes with ProcessName containing schtasks or filter by CommandLine containing Clear-EventLog or Remove-Item with known log paths.
Scenario: Admin Task – User Rights Assignment
Description: An administrator uses Set-UserRightsAssignment or Set-ADUser to modify user permissions or rights in Active Directory.
Filter/Exclusion: Exclude processes with ProcessName containing adsiedit or adsi or filter by CommandLine containing Set-ADUser or Set-UserRightsAssignment.
Scenario: PowerShell Script for Patch Management
Description: A legitimate patch management script runs Start-Process or Invoke-Command to apply patches on remote systems.
Filter/Exclusion: Exclude processes with ProcessName containing patchmgr or filter by CommandLine containing Start-Process with known patch executables or Invoke-Command with known patch servers.
Scenario: PowerShell Module Load for Reporting
Description: A reporting tool loads a PowerShell module using Import-Module to generate system health reports.
Filter/Exclusion: Exclude processes with ProcessName containing reportingtool or filter