evasive-powershell-strings

Hunt Hypothesis

Adversaries may use evasive PowerShell techniques with specific string patterns to exfiltrate data or execute additional processes without triggering standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or lateral movement attempts that evade traditional detection methods.

KQL Query

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_all("-ep bypass","-command","get-content","remove-item","iex")

Analytic Rule Definition

id: d08b4ce0-3c97-4637-9577-0856f6cdd222
name: evasive-powershell-strings
description: |
  This query searches for a string pattern detected in evasive PowerShell usage. Jupyter or SolarMarker will iterate on this pattern multiple times to read data and call additional processes. This query is not fully specific to Jupyter or SolarMarker, and will also return other malicious malware, but is unlikely to return false positives.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
- Defense evasion
query: |
  DeviceProcessEvents
  | where FileName == "powershell.exe"
  | where ProcessCommandLine has_all("-ep bypass","-command","get-content","remove-item","iex")

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Defense evasion

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/evasive-powershell-strings.yaml)

False Positive Guidance

Scenario: Scheduled Job Using PowerShell for System Maintenance
Description: A legitimate scheduled job runs a PowerShell script to perform system maintenance, such as log rotation or service restarts, which may include string patterns similar to evasive techniques.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"schtasks.exe"
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An administrator uses PowerShell to configure system settings, such as updating group policies or modifying registry keys, which may include string patterns that match the detection rule.
Filter/Exclusion: process.user_name:"Administrator" or process.command_line:"gpupdate.exe", process.command_line:"reg.exe"
Scenario: Jupyter Notebook Execution with PowerShell Integration
Description: A Jupyter notebook may execute PowerShell scripts for data processing or automation, which could trigger the rule due to string patterns used in the script.
Filter/Exclusion: process.parent_process_name:"jupyter-notebook.exe" or process.command_line:"jupyter"
Scenario: SolarMarker Tool for Data Extraction
Description: The SolarMarker tool is used for data extraction or analysis and may include PowerShell scripts that use similar string patterns to the rule’s detection logic.
Filter/Exclusion: process.parent_process_name:"SolarMarker.exe" or process.command_line:"SolarMarker"
Scenario: PowerShell Script for User Account Management
Description: A PowerShell script is used to manage user accounts, such as enabling/disabling users or resetting passwords, which may contain string patterns that match the rule.
Filter/Exclusion: process.command_line:"net user" or process.command_line:"Enable-UserAccount.ps1"