Applied KQL

Helping others get things done using Kusto Query Language (KQL).

KQL query: Windows PowerShell invoking a reverse shell

by

Artistic interpretation of a PowerShell reverse shell. - Copilot Designer
Artistic interpretation of a PowerShell reverse shell. – Copilot Designer

Identify Windows PowerShell events creating outbound connections that could indicate the establishment of a reverse shell.

Windows PowerShell is a powerful component of every Microsoft Windows installation. Threat actors consistently use Windows PowerShell as a “live of the land” tool to blend in with normal computer activity.

One thing Windows PowerShell should NOT typically do is establish outbound network client connections. This activity could be indicative of a remote shell being established by a threat actor.

Prerequisites for this KQL query

The table for this query (DeviceProcessEvents) is available in Microsoft Defender. Perform query using Microsoft Defender > Hunting > Advanced hunting. Advanced hunting has previous 30 days of logs available.

KQL query to identify potential reverse shell initiation

The following query identifies events where Windows PowerShell is establishing a new TCPClient object that is regularly used as a method of establishing a remote shell.

DeviceProcessEvents 
| where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") 
| where ProcessCommandLine contains "$client = New-Object System.Net.Sockets.TCPClient"

// credit: Microsoft Defender Threat Intelligence

Deconstructing the KQL query

Read on to understand HOW the query above works.

DeviceProcessEvents

This is the name of a table in our data source. It contains information about process creation and related events on devices.

| where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")

We first filter the results based on FileName. We check if the FileName field contains any of the specified values (cmd.exepowershell.exe, or PowerShell_ISE.exe). We are interested in processes with these executable names.

| where ProcessCommandLine contains "$client = New-Object System.Net.Sockets.TCPClient"

This next filter narrows down the results further. We’re looking for processes where the ProcessCommandLine (the command used to run the process) contains the specific string "$client = New-Object System.Net.Sockets.TCPClient". This object is for creating a TCP client connection.

A result set doesn’t automatically mean you have reverse shells present. You will need to investigate the results to determine if the events are associated with approved application activity.

Reference