Query Details
Power Shell Defensive Evasion Detection
Query
//This query detects PowerShell commands using hidden windows or silent continue
//Helps identify attempts to hide malicious activity from users
DeviceProcessEvents
| where ProcessCommandLine has_all("SilentlyContinue","Start-Process -WindowStyle Hidden") //can switch to has_any also Explanation
This query is designed to identify potentially suspicious PowerShell commands that are trying to run without being noticed by users. It looks for instances where PowerShell commands include both "SilentlyContinue" and "Start-Process -WindowStyle Hidden" in their command line. These parameters suggest that the command is attempting to execute in a hidden window and continue silently, which could be indicative of malicious activity. The query searches through device process events to find any such occurrences. If needed, the query can be adjusted to look for either of these parameters individually by changing "has_all" to "has_any".
Details
Jay Kerai
Released: November 10, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
has_allhas_anywhere|