The hypothesis is that the detection of Invoke-PowerShellTcpOneLine in normalized process events indicates potential adversary use of a reverse shell to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistent access and data exfiltration activities.
KQL Query
imProcessCreate
| where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe")
| where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc, IPCustomEntity = DvcIpAddr
id: a2b58512-1298-4a25-a4c7-88ddfed78b0d
name: Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
description: |
'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.'
requiredDataConnectors: []
tactics:
- Exfiltration
relevantTechniques:
- T1011
query: |
imProcessCreate
| where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe")
| where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc, IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: Legitimate PowerShell Script Execution
Description: A system administrator is running a legitimate PowerShell script that uses Invoke-PowerShellTcpOneLine as part of a script to automate network testing or diagnostics.
Filter/Exclusion: Check for the presence of a known legitimate script or tool (e.g., Test-NetConnection, Test-Connection, or a custom script with a known hash) in the command line context.
Scenario: Scheduled Job for System Maintenance
Description: A scheduled job is configured to run a PowerShell script that includes Invoke-PowerShellTcpOneLine to perform a remote health check or system update.
Filter/Exclusion: Filter by the job name or scheduled task ID, and check if the script is associated with a known maintenance task (e.g., SystemMaintenanceJob or UpdateCheckScript).
Scenario: Admin Task for Remote Management
Description: An admin is using Invoke-PowerShellTcpOneLine as part of a remote management task, such as executing a command on a remote machine via PowerShell remoting.
Filter/Exclusion: Filter by the presence of Invoke-Command or Enter-PSSession in the command line, and check if the command is executed from a trusted admin account.
Scenario: PowerShell Module or Script with Known Hash
Description: A legitimate PowerShell module or script (e.g., PSRemotingTools) includes Invoke-PowerShellTcpOneLine as part of its functionality for remote management.
Filter/Exclusion: Exclude commands that match the hash of a known legitimate script or module, or filter by the module name in the command line.
Scenario: User-Initiated Remote Debugging Session
Description: A developer is using Invoke-PowerShellTcpOneLine to establish a