← Back to SOC feed Coverage →

evasive-powershell-executions

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
backdoorhuntingmicrosoftofficialpowershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-05T03:15:55Z · Confidence: medium

Hunt Hypothesis

The evasive-powershell-executions rule detects potential Jupyter/SolarMarker malware activity by identifying suspicious PowerShell executions that evade standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage info-stealing and backdoor activities associated with this sophisticated malware family.

KQL Query

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_all
("-command","FromBase64String","));remove-item $",".length;$j++){$","$i++;if($i -ge $","-bxor","UTF8.GetString")

Analytic Rule Definition

id: 33e69a06-206e-4eda-930d-13d2f61f9185
name: evasive-powershell-executions
description: |
  Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  DeviceProcessEvents
  | where FileName =~ "powershell.exe"
  | where ProcessCommandLine has_all
  ("-command","FromBase64String","));remove-item $",".length;$j++){$","$i++;if($i -ge $","-bxor","UTF8.GetString")

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/evasive-powershell-executions.yaml