PowerShell

KQL query: Identify PowerShell using sleep timers to evade detection

May 30, 2024 by Applied KQL

Artistic representation of encoded or obfuscated use of the PowerShell Start-Sleep cmdlet. – Copilot Designer

Encoded or obfuscated use of the Start-Sleep cmdlet can be an indicator of malicious activity.

KQL query: Windows PowerShell execution events that may involve a download

May 30, 2024 by Applied KQL

Artistic representation of a malicious file download. – Copilot Designer

Live off the land techniques leveraging PowerShell may involve downloading an additional payload from the Internet for further attack.

KQL query: Windows PowerShell invoking a reverse shell

May 24, 2024 by Applied KQL

Artistic interpretation of a PowerShell reverse shell. - Copilot Designer — Artistic interpretation of a PowerShell reverse shell. – Copilot Designer

Identify Windows PowerShell events creating outbound connections that could indicate the establishment of a reverse shell.