Adversaries may be using PowerShell Universal Applications (PUA) to execute malicious code without triggering traditional antivirus detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware activity that bypasses standard detection mechanisms.
KQL Query
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.ThreatName contains "PUA"
| project DeviceName, FileName, SHA1 , ThreatName=tostring(ParsedFields.ThreatName),
WasRemediated=tobool(ParsedFields.WasRemediated),
WasExecutingWhileDetected=tobool(ParsedFields.WasExecutingWhileDetected), Timestamp
id: 1a954599-aa03-421d-a35f-dbe18859bdd5
name: PUA ThreatName per Computer
description: |
Today MDE Alerts do not show PUA/WDAV ThreatName. This is a demonstration of how to get, for example, PUA Threat Names.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ParsedFields=parse_json(AdditionalFields)
| where ParsedFields.ThreatName contains "PUA"
| project DeviceName, FileName, SHA1 , ThreatName=tostring(ParsedFields.ThreatName),
WasRemediated=tobool(ParsedFields.WasRemediated),
WasExecutingWhileDetected=tobool(ParsedFields.WasExecutingWhileDetected), Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: A system administrator is running a Windows Defender Offline scan as part of a routine security maintenance task.
Filter/Exclusion: Exclude processes associated with MsMpEng.exe or Windows Defender Offline when executed by a user with administrative privileges.
Scenario: A scheduled task is configured to run PowerShell scripts for system monitoring or log analysis, which may trigger a PUA (Potentially Unwanted Application) detection.
Filter/Exclusion: Exclude processes initiated by scheduled tasks, especially those with names like TaskScheduler or schtasks.exe, and filter by user context (e.g., SYSTEM or a known admin account).
Scenario: A third-party endpoint security tool (e.g., Malwarebytes, Bitdefender, or Kaspersky) is performing a full system scan, which may result in false positives for PUA threats.
Filter/Exclusion: Exclude processes related to these tools (e.g., mbam.exe, bdagent.exe, kavservice.exe) or use a custom field to identify known security software.
Scenario: A system update or patching job (e.g., via Windows Update, WSUS, or Microsoft Endpoint Manager) is being executed, which may trigger PUA detection due to temporary file activity.
Filter/Exclusion: Exclude processes related to update services like wuauserv.exe, svchost.exe (with specific service names), or use a filter based on the update source or timestamp.
Scenario: A backup or synchronization tool (e.g., Veeam, Acronis, or OneDrive) is copying files across the network, which may be flagged as suspicious activity.
Filter/Exclusion: Exclude processes associated with backup tools (e.g., `veeam