Detection rules › Kusto Query Language
Suspicious Powershell Commandlet Executed
This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Defender-DeviceEvents | 9007001 | PowerShell command executed |
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: source
DeviceEvents
Stage 2: where
ActionType eq "PowerShellCommand"
Stage 3: extend
Stage 4: where
Commandlet match "SuspiciousPowerShellCommandList"
Stage 5: project
Stage 6: extend
Stage 7: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
Commandlet | match |
|