Query Details
Power Shell Executionwith Download
Query
//Requires the Microsoft 365 Defender Connector
//Identify PowerShell executions that could have initiated a download request
//Query:
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", "https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
//For an Analytics Rule:
union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", "https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| extend IPCustomEntity = RemoteIP
| extend URLCustomEntity = RemoteUrl
| extend HostCustomEntity = DeviceName
Explanation
This query is used to identify PowerShell executions that could have initiated a download request. It looks for events where the PowerShell executable is used and the process command line contains certain keywords related to downloading, such as "WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", or "https". The query retrieves information about the timestamp, device name, initiating process file name, initiating process command line, file name, process command line, remote IP address, remote URL, remote port, and remote IP type. It can be used as part of an analytics rule to monitor and detect potentially malicious activities.
Details
Rod Trent
Released: November 6, 2020
Tables
Keywords
Operators