Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious Powershell Commandlet Executed

Back
Idb5153fb3-ada9-4ce4-9131-79c771efb50d
RulenameSuspicious Powershell Commandlet Executed
DescriptionThis analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.
SeverityMedium
TacticsExecution
TechniquesT1059
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/SuspiciousPowerShellCommandExecuted.yaml
Version1.0.1
Arm templateb5153fb3-ada9-4ce4-9131-79c771efb50d.json
Deploy To Azure
// Adjust the list of suspicious commandlets as needed
let SuspiciousPowerShellCommandList = dynamic(["Get-ADUserResultantPasswordPolicy",
  "Get-DomainPolicy",
  "Get-DomainUser",
  "Get-DomainComputer",
  "Get-DomainController",
  "Get-DomainGroup",
  "Get-DomainTrust",
  "Get-ADTrust",
  "Get-ForestTrust"
  ]);
DeviceEvents
| where ActionType == "PowerShellCommand"
| extend Commandlet = tostring(parse_json(AdditionalFields).Command)
| where Commandlet has_any (SuspiciousPowerShellCommandList)
| project TimeGenerated, DeviceName, LocalIP, InitiatingProcessAccountUpn, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| extend Username = tostring(split(InitiatingProcessAccountUpn, '@')[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@')[1])
| extend DvcHostname = tostring(split(DeviceName, '.')[0]), DvcDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcDomain
    identifier: DnsDomain
  entityType: Host
- fieldMappings:
  - columnName: LocalIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Username
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: InitiatingProcessId
    identifier: ProcessId
  - columnName: InitiatingProcessCommandLine
    identifier: CommandLine
  entityType: Process
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/SuspiciousPowerShellCommandExecuted.yaml
queryFrequency: 1h
status: Available
relevantTechniques:
- T1059
triggerOperator: gt
version: 1.0.1
id: b5153fb3-ada9-4ce4-9131-79c771efb50d
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
alertDetailsOverride:
  alertDisplayNameFormat: Suspicious PowerShell Commandlet Executed on {{DvcHostname}} ({{LocalIP}}) by ({{InitiatingProcessAccountUpn}})
  alertDescriptionFormat: "Suspicious PowerShell Commandlet by Process '{{InitiatingProcessFileName}}' ProcessId: '{{InitiatingProcessId}}' with commandline {{InitiatingProcessCommandLine}} was executed."
name: Suspicious Powershell Commandlet Executed
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.
query: |
  // Adjust the list of suspicious commandlets as needed
  let SuspiciousPowerShellCommandList = dynamic(["Get-ADUserResultantPasswordPolicy",
    "Get-DomainPolicy",
    "Get-DomainUser",
    "Get-DomainComputer",
    "Get-DomainController",
    "Get-DomainGroup",
    "Get-DomainTrust",
    "Get-ADTrust",
    "Get-ForestTrust"
    ]);
  DeviceEvents
  | where ActionType == "PowerShellCommand"
  | extend Commandlet = tostring(parse_json(AdditionalFields).Command)
  | where Commandlet has_any (SuspiciousPowerShellCommandList)
  | project TimeGenerated, DeviceName, LocalIP, InitiatingProcessAccountUpn, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
  | extend Username = tostring(split(InitiatingProcessAccountUpn, '@')[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@')[1])
  | extend DvcHostname = tostring(split(DeviceName, '.')[0]), DvcDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))  
tactics:
- Execution
queryPeriod: 1h
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b5153fb3-ada9-4ce4-9131-79c771efb50d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b5153fb3-ada9-4ce4-9131-79c771efb50d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Suspicious PowerShell Commandlet by Process '{{InitiatingProcessFileName}}' ProcessId: '{{InitiatingProcessId}}' with commandline {{InitiatingProcessCommandLine}} was executed.",
          "alertDisplayNameFormat": "Suspicious PowerShell Commandlet Executed on {{DvcHostname}} ({{LocalIP}}) by ({{InitiatingProcessAccountUpn}})"
        },
        "alertRuleTemplateName": "b5153fb3-ada9-4ce4-9131-79c771efb50d",
        "customDetails": null,
        "description": "This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.\n",
        "displayName": "Suspicious Powershell Commandlet Executed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "LocalIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessId",
                "identifier": "ProcessId"
              },
              {
                "columnName": "InitiatingProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/SuspiciousPowerShellCommandExecuted.yaml",
        "query": "// Adjust the list of suspicious commandlets as needed\nlet SuspiciousPowerShellCommandList = dynamic([\"Get-ADUserResultantPasswordPolicy\",\n  \"Get-DomainPolicy\",\n  \"Get-DomainUser\",\n  \"Get-DomainComputer\",\n  \"Get-DomainController\",\n  \"Get-DomainGroup\",\n  \"Get-DomainTrust\",\n  \"Get-ADTrust\",\n  \"Get-ForestTrust\"\n  ]);\nDeviceEvents\n| where ActionType == \"PowerShellCommand\"\n| extend Commandlet = tostring(parse_json(AdditionalFields).Command)\n| where Commandlet has_any (SuspiciousPowerShellCommandList)\n| project TimeGenerated, DeviceName, LocalIP, InitiatingProcessAccountUpn, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine\n| extend Username = tostring(split(InitiatingProcessAccountUpn, '@')[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@')[1])\n| extend DvcHostname = tostring(split(DeviceName, '.')[0]), DvcDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}