PowerShell No Profile (APT 28)
Power Shell No Profile
Query
DeviceProcessEvents
| where ProcessCommandLine has_all ("-nop", "powershell.exe")
| summarize TotalCommands = dcount(ProcessCommandLine), ExecutedCommands = make_set(ProcessCommandLine) by DeviceNameAbout this query
Explanation
This query is designed to detect suspicious activity associated with APT28, a known threat group. Specifically, it looks for instances where PowerShell is used in a potentially malicious way. The query focuses on PowerShell commands that include the "-nop" (no profile) and "powershell.exe" keywords, which are indicative of attempts to run PowerShell without loading user profiles, a common tactic used to evade detection.
Here's a simple breakdown of what the query does:
-
Data Source: It examines events related to processes on devices, specifically looking at the command lines used to execute these processes.
-
Filter Criteria: It filters for command lines that contain both "-nop" and "powershell.exe". This combination suggests that PowerShell is being run in a way that avoids loading user profiles, which can be a sign of malicious activity.
-
Summarization: For each device, it counts the number of unique commands that match the criteria and lists these commands. This helps identify which devices have executed potentially suspicious PowerShell commands and what those commands were.
-
Purpose: The goal is to identify and investigate devices that might be compromised by APT28, as these commands are similar to those used by the group in their attacks.
Overall, this query helps security teams monitor for and respond to potential threats from APT28 by identifying unusual PowerShell usage patterns.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators