Applied KQL

Helping others get things done using Kusto Query Language (KQL).

KQL query: Windows PowerShell execution events that may involve a download

by

Artistic representation of a malicious file download. – Copilot Designer

Live off the land techniques leveraging PowerShell may involve downloading an additional payload from the Internet for further attack.

Windows PowerShell is a powerful component of every Microsoft Windows installation. Threat actors consistently use Windows PowerShell as a “live of the land” tool to blend in with normal computer activity.

One indication of potential malicious activity is PowerShell downloading files. While PowerShell helps threat actors get a foothold, they typically want to attempt to run other payloads to further their attack.

Prerequisites for this KQL query

The table for this query (DeviceProcessEvents) is available in Microsoft Defender. Perform query using Microsoft Defender > Hunting > Advanced hunting. Advanced hunting has previous 30 days of logs available.

KQL query to identify PowerShell events that may involve a file download

The following query identifies events where Windows PowerShell may be attempting to download a file or files.

// Find Windows PowerShell execution events that could involve a download.

DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

// credit: Microsoft Threat Intelligence

Deconstructing the KQL query

Read on to understand HOW the query above works.

Step 1: Selecting the table

DeviceProcessEvents

Here, we’re specifying the table we’re interested in. The DeviceProcessEvents table contains events related to processes on devices.

Step 2: Filtering by file name

| where FileName in~ ("powershell.exe", "powershell_ise.exe")

Next, we further filter the results to include only those events where the FileName column matches either “powershell.exe” or “powershell_ise.exe”. The in~ operator performs a case-insensitive comparison, which is useful for catching variations in capitalization.

Step 3: Filtering by command line content

| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"

This part of the query uses multiple or conditions to filter for specific terms within the ProcessCommandLine column. The has operator checks if the specified string is present anywhere in the ProcessCommandLine. Here’s what each term might indicate:

  • "Net.WebClient", "DownloadFile", "Invoke-WebRequest", "http", "Start-BitsTransfer": These terms are associated with downloading files or making web requests.
  • "Invoke-Shellcode": This is often used in scripts to run shellcode, which can be indicative of malicious activity.
  • "IEX": This stands for “Invoke-Expression”, a PowerShell command that can execute code from a string or a script.
  • "mpcmdrun.exe": This is related to the Microsoft Malware Protection Command Line Utility, which could be used to manipulate or run antivirus commands.

By including these terms, the query is tailored to catch potential malicious activity involving PowerShell.

Step 5: Projecting (selecting) specific columns

| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

Finally, the project operator is used to select the columns we want in the final output. This helps in focusing on the relevant data and makes the result set easier to analyze. The columns chosen are:

  • Timestamp: When the event occurred.
  • DeviceName: The name of the device where the event occurred.
  • InitiatingProcessFileName: The file name of the process that started the current process.
  • FileName: The name of the executable file for the process.
  • ProcessCommandLine: The full command line used to start the process.

Investigating the results

Note that not every result will be a malicious event. For example, Microsoft System Center Configuration Manager (InitiatingProcessFileName = CcmExec.exe) uses PowerShell and BITS transfers for approved functionality. Analyze both the initiating process as well as the process command line details. If you see common occurrences of authorized behavior, consider refining the query to remove those results.