KQL Search

This query is designed to detect potentially malicious activities involving the use of PowerShell when its executable has been renamed to avoid detection. Here's a simple breakdown of what the query does:

1. Data Source: It looks at events related to processes on devices (DeviceProcessEvents).

2. Filtering:

   • It excludes any process command lines that explicitly mention "powershell" or "pwsh" to focus on instances where PowerShell might have been renamed.
   • It then checks for specific PowerShell command-line arguments that are commonly used in attacks:
     • -NoProfile: This option starts PowerShell without loading the user's profile, which can be used to avoid detection.
     • -ExecutionPolicy: This option changes the execution policy, potentially allowing scripts to run that would otherwise be blocked.
     • Invoke-Expression: This command is often used to execute strings as commands, which can be a sign of malicious activity.

3. Output:

   • It selects and displays relevant information about the detected processes, including:
     • DeviceName: The name of the device where the process was executed.
     • FileName: The name of the file that was executed.
     • ActionType: The type of action that was performed.
     • ProcessVersionInfoOriginalFileName: The original file name of the process, which can help identify if it was renamed.
     • ProcessCommandLine: The full command line that was executed, providing context on what the process was doing.
     • ProcessRemoteSessionIP: The IP address of any remote session associated with the process, which can indicate remote control or access.

Overall, this query helps identify suspicious PowerShell activities that might be attempts to evade detection by renaming the executable and using specific command-line options associated with malicious behavior.