Query Details

Rule Documentation: Defense Evasion - PowerShell CoralRaider PSChildName MSHTA Execution (Windows)

Coral Raider MSHTA Powershell

Query

DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == @"PowerShell.EXE"
| where ProcessCommandLine contains "PSChildName"

- Another query from device events which does the same
DeviceEvents
| where ActionType == @"PowerShellCommand" | where InitiatingProcessCommandLine contains "PSChildName"

## Notes
"gp -pa" can also be used to hunt for the same

About this query

Rule Documentation: Defense Evasion - PowerShell CoralRaider PSChildName MSHTA Execution (Windows)

Description

Detects the usage of PowerShell with the PSChildName command, which may indicate suspicious activity or attempts at defense evasion. This technique has been observed in the activity of suspected CoralRaider, which uses various information stealers as detailed in the article.

Detection Logic

  • Filters DeviceProcessEvents for events where the original file name is PowerShell.EXE.
  • Specifically looks for instances where the ProcessCommandLine contains the string PSChildName.

Tags

  • Defense Evasion

Search Query

Explanation

This query is designed to detect potentially suspicious activity involving the use of PowerShell on Windows systems. Specifically, it looks for instances where the PSChildName command is used, which could indicate attempts at evading security measures. This technique has been associated with the CoralRaider threat actor, known for using various information-stealing malware.

Key Points:

  1. Purpose: To identify suspicious PowerShell activity that might be used for defense evasion.
  2. Detection Logic:
    • The query searches for events in DeviceProcessEvents where the original file name is PowerShell.EXE.
    • It filters these events to find those where the command line includes PSChildName.
    • Another similar query checks DeviceEvents for PowerShell commands that include PSChildName.
  3. Tags: The query is tagged under "Defense Evasion" to categorize the type of suspicious activity.
  4. Additional Note: The command gp -pa can also be used to search for similar suspicious activity.

Search Query:

DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == @"PowerShell.EXE"
| where ProcessCommandLine contains "PSChildName"

DeviceEvents
| where ActionType == @"PowerShellCommand"
| where InitiatingProcessCommandLine contains "PSChildName"

This query helps security analysts identify and investigate potential defense evasion tactics involving PowerShell, which could be indicative of malicious activity by threat actors like CoralRaider.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 19, 2024

Tables

DeviceProcessEventsDeviceEvents

Keywords

Devices

Operators

wherecontains

Actions

GitHub