Detection rules › Kusto Query Language
Dev-0270 Malicious Powershell usage
'DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562 Impair Defenses |
| Exfiltration | T1048 Exfiltration Over Alternative Protocol |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 2 branches