Unusual PowerShell execution events that involve downloading files may indicate an adversary attempting to exfiltrate data or deploy malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise early and prevent lateral movement or data theft.
KQL Query
imProcessCreate
| where Process has_any ("powershell.exe", "powershell_ise.exe") // perfromance pre-filtering
| extend FileName=tostring(split(TargetProcessName, '\\')[-1])
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where CommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "Invoke-Shellcode", "http:", "https:")
| project TimeGenerated, Dvc, User, ActingProcessName, FileName, CommandLine, EventVendor, EventProduct
| top 100 by TimeGenerated
| extend timestamp = TimeGenerated
id: 93a4ed6c-83e6-4202-8df4-e340dbd20a38
name: PowerShell downloads (Normalized Process Events)
description: |
'Finds PowerShell execution events that could involve a download'
requiredDataConnectors: []
tactics:
- Execution
- CommandAndControl
query: |
imProcessCreate
| where Process has_any ("powershell.exe", "powershell_ise.exe") // perfromance pre-filtering
| extend FileName=tostring(split(TargetProcessName, '\\')[-1])
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where CommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "Invoke-Shellcode", "http:", "https:")
| project TimeGenerated, Dvc, User, ActingProcessName, FileName, CommandLine, EventVendor, EventProduct
| top 100 by TimeGenerated
| extend timestamp = TimeGenerated
version: 1.0.1| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled job runs a PowerShell script to perform system updates or maintenance tasks.
Filter/Exclusion: Exclude events where the process is initiated by a scheduled task with a known maintenance script path (e.g., C:\Windows\System32\Tasks\UpdateTask.ps1).
Scenario: Admin Task - Software Deployment
Description: An administrator uses PowerShell to deploy software to multiple endpoints using tools like SCCM or Intune.
Filter/Exclusion: Exclude events where the process is initiated by a user with administrative privileges and the script path matches known deployment tools (e.g., C:\Program Files\Microsoft\IntuneManagementExtension\DeployScript.ps1).
Scenario: PowerShell Module Update via PSGallery
Description: A user runs Update-Module to fetch the latest version of a PowerShell module from the PowerShell Gallery.
Filter/Exclusion: Exclude events where the command is Update-Module and the module name is known to be part of the organization’s approved module list (e.g., PSReadLine, Pester).
Scenario: Log File Analysis with PowerShell
Description: A security analyst uses PowerShell to analyze log files for troubleshooting or compliance purposes.
Filter/Exclusion: Exclude events where the process is initiated by a user with a security analyst role and the script path includes known log analysis tools (e.g., C:\Tools\LogParser\LogAnalysis.ps1).
Scenario: PowerShell Remoting for Remote Management
Description: An IT admin uses PowerShell Remoting to manage remote servers, which may involve downloading temporary files or scripts.
Filter/Exclusion: Exclude events where the process is initiated via Invoke-Command and the remote computer is in the organization’s trusted network list (e.g