Execution (TA0002)

Sub-technique: T1059.001 - PowerShell

Objective: Detect malicious PowerShell script execution.

Detect PowerShell Script Execution

DeviceProcessEvents
| where ProcessCommandLine has "powershell"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName
| order by Timestamp desc

Purpose: Identify PowerShell script execution.

Detect Obfuscated PowerShell Commands

DeviceProcessEvents
| where ProcessCommandLine has "powershell" and ProcessCommandLine matches regex "(?i)[^a-zA-Z0-9\\s]"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName
| order by Timestamp desc

Purpose: Detect obfuscated PowerShell commands.

PowerShell Download and Execute

DeviceProcessEvents
| where ProcessCommandLine has "Invoke-WebRequest"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName
| order by Timestamp desc

Purpose: Identify PowerShell commands downloading and executing content.

Detect PowerShell Executed from Suspicious Directories

DeviceProcessEvents
| where ProcessCommandLine has "powershell" and ProcessCommandLine matches regex "C:\\\\Users\\\\[^\\\\] +\\\\AppData\\\\Local\\\\Temp"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName
| order by Timestamp desc

Purpose: Detect PowerShell execution from temporary directories.

Detect PowerShell Encoded Commands

DeviceProcessEvents
| where ProcessCommandLine has "EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath

Purpose: Identify PowerShell commands executed with encoded strings.

Monitor PowerShell for Command Line Length

DeviceProcessEvents
| where ProcessCommandLine has "powershell" and strlen(ProcessCommandLine) > 1000
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessFolderPath
| order by Timestamp desc

Purpose: Detect long command-line executions that could indicate complex scripts.

PowerShell Execution by Non-Admin Users

DeviceProcessEvents
| where ProcessCommandLine has "powershell" and InitiatingProcessAccountName != "Administrator"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessFolderPath
| order by Timestamp desc

Purpose: Monitor PowerShell usage by non-administrative users.

PowerShell Process Chaining

DeviceProcessEvents
| where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("cmd.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessFolderPath
| order by Timestamp desc

Purpose: Detect PowerShell chained with other interpreters.

Detect PowerShell Execution via Macro

DeviceProcessEvents
| where ProcessCommandLine has "powershell" and ProcessCommandLine has "WINWORD.EXE"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName
| order by Timestamp desc

Purpose: Identify PowerShell executed from Microsoft Word macros.

Monitor PowerShell Remoting

DeviceProcessEvents
| where ProcessCommandLine has "powershell" and ProcessCommandLine has "Enter-PSSession"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, AccountDomain, ActionType, FolderPath, FileName
| order by Timestamp desc

Purpose: Detect the use of PowerShell Remoting.

PreviousInitial Access (TA0001)NextPersistence (TA0003)

Last updated 11 months ago