Adversaries may use PowerShell with a non-browser user-agent to execute commands stealthily, bypassing standard browser-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or lateral movement activities.
KQL Query
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal contains "WindowsPowerShell"
| extend Message = "Windows PowerShell User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal
id: b12b3dab-d973-45af-b07e-e29bb34d8db9
name: Cisco Umbrella - Windows PowerShell User-Agent Detected
description: |
'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
- DefenseEvasion
query: |
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal contains "WindowsPowerShell"
| extend Message = "Windows PowerShell User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlOriginal
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.2
kind: Scheduled
Scenario: Scheduled PowerShell Task for System Maintenance
Description: A legitimate scheduled task runs PowerShell to perform system updates or maintenance.
Filter/Exclusion: ProcessName == "schtasks" OR ProcessName == "taskhost" OR CommandLine NOT LIKE "*powershell.exe*"
Scenario: Admin Using PowerShell for Scripted Configuration
Description: An administrator uses PowerShell to configure system settings or deploy software via a script.
Filter/Exclusion: User == "Administrator" OR User == "Domain Admins" OR CommandLine LIKE "*-ExecutionPolicy*"
Scenario: Cisco Umbrella API Integration via PowerShell
Description: A PowerShell script is used to interact with the Cisco Umbrella API for configuration or reporting.
Filter/Exclusion: CommandLine LIKE "*umbrella-api*" OR CommandLine LIKE "*cisco.com*"
Scenario: PowerShell Used by Microsoft Intune for Device Management
Description: Intune runs PowerShell scripts to manage device compliance or apply policies.
Filter/Exclusion: ProcessName == "msiexec" OR CommandLine LIKE "*intune*" OR CommandLine LIKE "*Microsoft Intune*"
Scenario: PowerShell Script for Log Analysis or Monitoring
Description: A script runs PowerShell to analyze system logs or monitor network activity for troubleshooting.
Filter/Exclusion: CommandLine LIKE "*log*" OR CommandLine LIKE "*analyze*" OR CommandLine LIKE "*monitor*"