Uncommon PowerShell cmdlets executed on a machine may indicate adversarial activity attempting to leverage unexpected or obfuscated commands for persistence or data exfiltration. SOC teams should proactively hunt for these commands in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
KQL Query
let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
// Query for Powershell cmdlets
let powershellCommands =
DeviceEvents
| where ActionType == "PowerShellCommand"
// Extract the powershell command name from the Command field in the AdditionalFields JSON column
| project PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string)), InitiatingProcessCommandLine, InitiatingProcessParentFileName, Timestamp, DeviceId
| where PowershellCommand !endswith ".ps1" and PowershellCommand !endswith ".exe";
// Filter Powershell cmdlets executed on relevant machine and time period
powershellCommands | where DeviceId == DeviceId and Timestamp between ((timestamp-5min) .. 10min)
// Filter out common powershell cmdlets
| join kind=leftanti (powershellCommands | summarize MachineCount=dcount(DeviceId) by PowershellCommand | where MachineCount > 20) on PowershellCommand
id: 7d3acc08-312c-4139-85c9-f08299b79932
name: PowershellCommand - uncommon commands on machine
description: |
Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period.
This covers all Powershell commands executed in the Powershell engine by any process.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
// Query for Powershell cmdlets
let powershellCommands =
DeviceEvents
| where ActionType == "PowerShellCommand"
// Extract the powershell command name from the Command field in the AdditionalFields JSON column
| project PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string)), InitiatingProcessCommandLine, InitiatingProcessParentFileName, Timestamp, DeviceId
| where PowershellCommand !endswith ".ps1" and PowershellCommand !endswith ".exe";
// Filter Powershell cmdlets executed on relevant machine and time period
powershellCommands | where DeviceId == DeviceId and Timestamp between ((timestamp-5min) .. 10min)
// Filter out common powershell cmdlets
| join kind=leftanti (powershellCommands | summarize MachineCount=dcount(DeviceId) by PowershellCommand | where MachineCount > 20) on PowershellCommand
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Running PowerShell Script for System Maintenance
Description: A legitimate scheduled job runs a PowerShell script to perform system updates or patch management.
Filter/Exclusion: Exclude processes associated with the Task Scheduler or specific job names like Update-System or Patch-Management.
Scenario: Admin Performing PowerShell-Based Configuration Management
Description: An administrator uses PowerShell to configure settings across the enterprise, such as using Set-ItemProperty or Set-Service.
Filter/Exclusion: Exclude processes with the user account of a known admin or filter by command names like Set-ItemProperty, Set-Service, or Get-Service.
Scenario: PowerShell Used for Log Analysis or Monitoring
Description: A monitoring tool or SIEM system uses PowerShell to parse and analyze log files, such as using Get-EventLog or Import-Csv.
Filter/Exclusion: Exclude processes from known monitoring tools (e.g., Splunk, ELK Stack) or filter by command names like Get-EventLog, Import-Csv, or Select-Object.
Scenario: PowerShell Script for Backup or Data Migration
Description: A backup or migration script runs PowerShell commands like Copy-Item, Export-Csv, or Move-Item to transfer data between systems.
Filter/Exclusion: Exclude processes associated with backup tools (e.g., Veeam, Commvault) or filter by command names like Copy-Item, Export-Csv, or Move-Item.
Scenario: PowerShell Used for Software Deployment via SCCM or MDT
Description: A deployment tool like SCCM or MDT uses PowerShell to install software or configure endpoints.
Filter/Exclusion: Exclude processes with the parent process being `CCM