// Adjust the list of suspicious commandlets as needed
let SuspiciousPowerShellCommandList = dynamic(["Get-ADUserResultantPasswordPolicy",
"Get-DomainPolicy",
"Get-DomainUser",
"Get-DomainComputer",
"Get-DomainController",
"Get-DomainGroup",
"Get-DomainTrust",
"Get-ADTrust",
"Get-ForestTrust"
]);
DeviceEvents
| where ActionType == "PowerShellCommand"
| extend Commandlet = tostring(parse_json(AdditionalFields).Command)
| where Commandlet has_any (SuspiciousPowerShellCommandList)
| project TimeGenerated, DeviceName, LocalIP, InitiatingProcessAccountUpn, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| extend Username = tostring(split(InitiatingProcessAccountUpn, '@')[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@')[1])
| extend DvcHostname = tostring(split(DeviceName, '.')[0]), DvcDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
relevantTechniques:
- T1059
queryFrequency: 1h
description: |
This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.
triggerThreshold: 0
id: b5153fb3-ada9-4ce4-9131-79c771efb50d
name: Suspicious Powershell Commandlet Executed
queryPeriod: 1h
query: |
// Adjust the list of suspicious commandlets as needed
let SuspiciousPowerShellCommandList = dynamic(["Get-ADUserResultantPasswordPolicy",
"Get-DomainPolicy",
"Get-DomainUser",
"Get-DomainComputer",
"Get-DomainController",
"Get-DomainGroup",
"Get-DomainTrust",
"Get-ADTrust",
"Get-ForestTrust"
]);
DeviceEvents
| where ActionType == "PowerShellCommand"
| extend Commandlet = tostring(parse_json(AdditionalFields).Command)
| where Commandlet has_any (SuspiciousPowerShellCommandList)
| project TimeGenerated, DeviceName, LocalIP, InitiatingProcessAccountUpn, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| extend Username = tostring(split(InitiatingProcessAccountUpn, '@')[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@')[1])
| extend DvcHostname = tostring(split(DeviceName, '.')[0]), DvcDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerOperator: gt
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: DvcHostname
identifier: HostName
- columnName: DvcDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: LocalIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Username
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: InitiatingProcessId
identifier: ProcessId
- columnName: InitiatingProcessCommandLine
identifier: CommandLine
entityType: Process
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/SuspiciousPowerShellCommandExecuted.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
alertDetailsOverride:
alertDisplayNameFormat: Suspicious PowerShell Commandlet Executed on {{DvcHostname}} ({{LocalIP}}) by ({{InitiatingProcessAccountUpn}})
alertDescriptionFormat: "Suspicious PowerShell Commandlet by Process '{{InitiatingProcessFileName}}' ProcessId: '{{InitiatingProcessId}}' with commandline {{InitiatingProcessCommandLine}} was executed."
status: Available
version: 1.0.1
tactics:
- Execution
kind: Scheduled
