KQL Search

Query Details

HomeAI ToolsDevice Query

Power Shell LOLBAS Execution With Public Network Connection

Query

# *PowerShell LOLBAS Execution with Public Network Connection*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ |


#### Description
This rule detects PowerShell processes that are initiated by a LOLBAS binary and subsequently establish an outbound network connection to a public IP address. It leverages an external LOLBAS JSON data source to identify suspicious parent processes. This behavior could indicate an adversary using a Living Off The Land Binary or Script (LOLBAS) to execute PowerShell for malicious purposes, such as command and control or data exfiltration.

#### Risk
Defense Evasion

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://lolbas-project.github.io

## Defender XDR
```KQL
let timeWindow = 2m;
// Load LOLBAS JSON from external source
let lolbas = externaldata(Name:string, Category:string, Description:string, Commands:string)
[@"https://lolbas-project.github.io/api/lolbas.json"]
with(format="multijson");
// Join DeviceProcessEvents with LOLBAS list
let suspiciousProcesses = DeviceProcessEvents
| where FileName in ("powershell.exe","pwsh.exe","pwsh.dll")
| join kind=inner (lolbas) on $left.InitiatingProcessFileName == $right.Name
    | project Timestamp, DeviceId, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, LOLBAS_Category = Category, LOLBAS_Description = Description, TimeWindowStart = Timestamp - timeWindow, TimeWindowEnd = Timestamp + timeWindow, SHA1;
suspiciousProcesses
| join kind=inner (
    DeviceNetworkEvents
    | project NetworkTimestamp = Timestamp, DeviceId, InitiatingProcessId,RemoteIP, RemotePort, RemoteUrl, Protocol, ActionType, LocalIP, LocalPort, RemoteIPType, ReportId
) on DeviceId, $left.ProcessId == $right.InitiatingProcessId
| where isnotempty( RemoteIP) and RemoteIPType == "Public"
| where NetworkTimestamp between (TimeWindowStart .. TimeWindowEnd)
```

Explanation

This query is designed to detect potentially malicious activity involving PowerShell on a network. Here's a simplified breakdown of what it does:

  1. Purpose: The query aims to identify instances where PowerShell is executed by a known Living Off The Land Binary or Script (LOLBAS), and then makes a connection to a public IP address. This behavior can indicate malicious activity, such as an attacker using PowerShell for unauthorized actions like command and control or data exfiltration.

  2. Data Sources:

    • LOLBAS JSON: The query uses an external JSON data source from the LOLBAS project, which lists binaries and scripts that can be used for legitimate purposes but may also be exploited by attackers.
    • DeviceProcessEvents: This data source provides information about processes running on devices, including PowerShell executions.
    • DeviceNetworkEvents: This data source provides information about network connections made by processes on devices.

  3. Process:

    • The query first loads the LOLBAS data to identify known binaries/scripts that can execute PowerShell.
    • It then looks for PowerShell processes (powershell.exe, pwsh.exe, pwsh.dll) that were initiated by any of these LOLBAS binaries/scripts.
    • It captures details about these processes, such as the timestamp, device information, process command line, and user account.
    • Next, it checks if these PowerShell processes made any network connections to public IP addresses within a 2-minute window around the process execution time.
    • The query filters for network events where the remote IP is public, indicating an external connection.

  4. Outcome: The result is a list of suspicious PowerShell activities that could be part of an attack, helping security teams to investigate and respond to potential threats.

  5. Risk: This activity is associated with "Defense Evasion," where attackers try to bypass security measures.

The query was authored by Benjamin Zulliger, and references are provided for further information on LOLBAS.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: December 9, 2025

Tables

DeviceProcessEventsDeviceNetworkEvents

Keywords

PowerShellDevicesNetworkProcesses

Operators

letexternaldata@withformatjoinkindonprojectwherein==isnotemptybetween..

Actions