KQL Search

Query Details

HomeAI ToolsDevice Query

Coral Raider MSHTA Powershell

Query

# Rule Documentation: Defense Evasion - PowerShell CoralRaider PSChildName MSHTA Execution (Windows)

## Description
Detects the usage of PowerShell with the `PSChildName` command, which may indicate suspicious activity or attempts at defense evasion. This technique has been observed in the activity of suspected CoralRaider, which uses various information stealers as detailed in the article.
- [Talos Intelligence Blog on CoralRaider](https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/)

## Detection Logic
- Filters `DeviceProcessEvents` for events where the original file name is `PowerShell.EXE`.
- Specifically looks for instances where the `ProcessCommandLine` contains the string `PSChildName`.

## Tags
- Defense Evasion

## Search Query 
```kql
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == @"PowerShell.EXE"
| where ProcessCommandLine contains "PSChildName"

- Another query from device events which does the same
DeviceEvents
| where ActionType == @"PowerShellCommand" | where InitiatingProcessCommandLine contains "PSChildName"

## Notes
"gp -pa" can also be used to hunt for the same

Explanation

This query is designed to detect potentially suspicious activity involving the use of PowerShell on Windows systems. Specifically, it looks for instances where the PSChildName command is used, which could indicate attempts at evading security measures. This technique has been associated with the CoralRaider threat actor, known for using various information-stealing malware.

Key Points:

  1. Purpose: To identify suspicious PowerShell activity that might be used for defense evasion.
  2. Detection Logic:
    • The query searches for events in DeviceProcessEvents where the original file name is PowerShell.EXE.
    • It filters these events to find those where the command line includes PSChildName.
    • Another similar query checks DeviceEvents for PowerShell commands that include PSChildName.
  3. Tags: The query is tagged under "Defense Evasion" to categorize the type of suspicious activity.
  4. Additional Note: The command gp -pa can also be used to search for similar suspicious activity.

Search Query:

DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == @"PowerShell.EXE"
| where ProcessCommandLine contains "PSChildName"

DeviceEvents
| where ActionType == @"PowerShellCommand"
| where InitiatingProcessCommandLine contains "PSChildName"

This query helps security analysts identify and investigate potential defense evasion tactics involving PowerShell, which could be indicative of malicious activity by threat actors like CoralRaider.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 19, 2024

Tables

DeviceProcessEventsDeviceEvents

Keywords

Devices

Operators

wherecontains

Actions