Rule Documentation: Defense Evasion - PowerShell CoralRaider PSChildName MSHTA Execution (Windows)
Coral Raider MSHTA Powershell
Query
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == @"PowerShell.EXE"
| where ProcessCommandLine contains "PSChildName"
- Another query from device events which does the same
DeviceEvents
| where ActionType == @"PowerShellCommand" | where InitiatingProcessCommandLine contains "PSChildName"
## Notes
"gp -pa" can also be used to hunt for the sameAbout this query
Rule Documentation: Defense Evasion - PowerShell CoralRaider PSChildName MSHTA Execution (Windows)
Description
Detects the usage of PowerShell with the PSChildName command, which may indicate suspicious activity or attempts at defense evasion. This technique has been observed in the activity of suspected CoralRaider, which uses various information stealers as detailed in the article.
Detection Logic
- Filters
DeviceProcessEventsfor events where the original file name isPowerShell.EXE. - Specifically looks for instances where the
ProcessCommandLinecontains the stringPSChildName.
Tags
- Defense Evasion
Search Query
Explanation
This query is designed to detect potentially suspicious activity involving the use of PowerShell on Windows systems. Specifically, it looks for instances where the PSChildName command is used, which could indicate attempts at evading security measures. This technique has been associated with the CoralRaider threat actor, known for using various information-stealing malware.
Key Points:
- Purpose: To identify suspicious PowerShell activity that might be used for defense evasion.
- Detection Logic:
- The query searches for events in
DeviceProcessEventswhere the original file name isPowerShell.EXE. - It filters these events to find those where the command line includes
PSChildName. - Another similar query checks
DeviceEventsfor PowerShell commands that includePSChildName.
- The query searches for events in
- Tags: The query is tagged under "Defense Evasion" to categorize the type of suspicious activity.
- Additional Note: The command
gp -pacan also be used to search for similar suspicious activity.
Search Query:
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName == @"PowerShell.EXE"
| where ProcessCommandLine contains "PSChildName"
DeviceEvents
| where ActionType == @"PowerShellCommand"
| where InitiatingProcessCommandLine contains "PSChildName"
This query helps security analysts identify and investigate potential defense evasion tactics involving PowerShell, which could be indicative of malicious activity by threat actors like CoralRaider.
Details

Ali Hussein
Released: May 19, 2024
Tables
Keywords
Operators