Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FolderPath contains "AppData" | where FolderPath !contains "System32" | project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName

DeviceProcessEvents | where (ProcessVersionInfoInternalFileName =~ "powershell.exe" or ProcessVersionInfoOriginalFileName =~ "powershell.exe") // Exclude standard System32 path | where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "windows\\system32") | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, ProcessVersionInfoCompanyName, ProcessVersionInfoFileDescription, ProcessVersionInfoOriginalFileName | order by TimeGenerated desc

DeviceProcessEvents | where FolderPath contains "AppData" | where FileName != "powershell.exe" and (InitiatingProcessVersionInfoOriginalFileName == "powershell.exe" or InitiatingProcessVersionInfoFileDescription contains "PowerShell") | summarize count() by FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath | project FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath | take 10

let targetDevice = ""; // optionally set to a specific DeviceName or DeviceId let familiar_host_names = dynamic(["svchost.exe","services.exe","lsass.exe","conhost.exe","spoolsv.exe","rundll32.exe","dllhost.exe","taskhostw.exe","taskhostex.exe","winlogon.exe","smss.exe","csrss.exe","wininit.exe","ctfmon.exe","explorer.exe","searchhost.exe","werfault.exe","sihost.exe"]); DeviceProcessEvents | where ActionType == "ProcessCreated" // Identify the binary as PowerShell (original file) even if renamed | where tolower(ProcessVersionInfoOriginalFileName) in ("powershell.exe","pwsh.exe") or ProcessVersionInfoFileDescription has_cs "Windows PowerShell" or ProcessCommandLine matches regex @"(?i)\b(powershell|pwsh)(\.exe)?\b" // Not from legitimate Windows directories; specifically from user AppData | where tostring(FolderPath) != "" and tolower(FolderPath) contains "\\users\\" and tolower(FolderPath) contains "\\appdata\\" | where not(tolower(FolderPath) startswith "c:\\windows\\system32" or tolower(FolderPath) startswith "c:\\windows\\syswow64") // Optionally scope to a device | where targetDevice == "" or DeviceName =~ targetDevice or DeviceId == targetDevice // Must be masquerading under a familiar Windows host name, not the legit powershell.exe name | where tolower(FileName) != "powershell.exe" and tolower(FileName) in (familiar_host_names) | summarize firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated), execCount=count() by DeviceName, FileName, FolderPath, SHA1 | order by lastSeen desc

// Look for processes originating from AppData (not System32) that appear to be PowerShell or copies of it DeviceProcessEvents | where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "system32") // Indicators of PowerShell or a PowerShell binary renamed/maliciously placed in AppData | where ( tolower(ProcessVersionInfoOriginalFileName) has "powershell" or tolower(ProcessVersionInfoInternalFileName) has "powershell" or tolower(FileName) has_any ("powershell","pwsh") or tolower(ProcessCommandLine) has_any ("powershell","pwsh","-enc","-encodedcommand","-nop","-noninteractive","-w hidden","-windowstyle hidden") ) | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, SHA256, MD5 | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), AnyCommandLines = make_set(ProcessCommandLine, 5), AnyInitiators = make_set(InitiatingProcessFileName, 5) by DeviceName, FileName, FolderPath, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, SHA256, MD5 | order by LastSeen desc | take 50

union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents | extend Folder = tolower(coalesce(FolderPath, InitiatingProcessFolderPath, "")) | extend ProcFile = tolower(coalesce(FileName, InitiatingProcessFileName, FileName, "")) | extend OrigName = tolower(coalesce(ProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoInternalFileName, "")) | extend Cmd = tolower(tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ""))) // only consider binaries coming from an AppData folder (exclude System32) | where Folder contains "\\appdata\\" and Folder !contains "\\windows\\system32\\" // look for PowerShell indicators in version-info or command line (including encoded/IE/Invoke-Expression) | where OrigName contains "powershell" or Cmd contains "powershell" or Cmd contains "-enc" or Cmd contains "encodedcommand" or Cmd contains "invoke-expression" or Cmd contains "iex" // exclude legitimate powershell.exe by filename | where ProcFile !contains "powershell" // reduce noisy results: focus on filenames seen on limited number of devices (likely masquerades) | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count(), Devices = dcount(DeviceName), UniqueProcIds = dcount(coalesce(ProcessId, InitiatingProcessId)) by ProcFile, OrigName, Folder, Sha256 = coalesce(SHA256, InitiatingProcessSHA256), MD5 = coalesce(MD5, InitiatingProcessMD5) | where Devices <= 10 | order by FirstSeen desc | take 50

DeviceProcessEvents | where (FolderPath contains "AppData" and not (FolderPath contains "System32")) or (InitiatingProcessFolderPath contains "AppData" and not (InitiatingProcessFolderPath contains "System32")) | where (FileName contains "powershell" or InitiatingProcessFileName contains "powershell" or ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell") | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine | distinct DeviceName, FileName, FolderPath

DeviceProcessEvents | where FolderPath contains 'AppData' and not(FolderPath contains 'System32') | where ProcessVersionInfoOriginalFileName contains 'powershell' | distinct FileName

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessVersionInfoOriginalFileName == "PowerShell.EXE" | where FolderPath contains "AppData" | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, SHA256

DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" | where tolower(FolderPath) has "users" and tolower(FolderPath) has "appdata" | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, AccountName, AccountDomain | order by TimeGenerated desc

// Detect PowerShell binaries that have been renamed and executed from a user's AppData folder DeviceProcessEvents | where ActionType == "ProcessCreated" // process start events only // 1. Identify files whose PE-metadata says they are PowerShell | where tolower(ProcessVersionInfoInternalFileName) == "powershell.exe" or tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" // 2. But the file on disk is not the legitimate name or path | where tolower(FileName) != "powershell.exe" // masqueraded name | where FolderPath has "\\appdata\\" // executed from the user profile | where FolderPath !has "\\windows\\system32" and FolderPath !has "\\windows\\syswow64" // 3. Surface the masquerading filename | project TimeGenerated, DeviceName, User = strcat(AccountDomain, "\\", AccountName), FileName, FolderPath, SHA256, Signed = InitiatingProcessSignatureStatus, CommandLine = ProcessCommandLine | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, FileName, FolderPath, SHA256, User, Signed | order by LastSeen desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32" | where tolower(InitiatingProcessVersionInfoOriginalFileName) == "powershell.exe" | where tolower(FileName) != "powershell.exe" | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessVersionInfoOriginalFileName | limit 50

DeviceProcessEvents | where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32" | where tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessVersionInfoOriginalFileName) contains "powershell" | project TimeGenerated, DeviceName, FileName, InitiatingProcessVersionInfoOriginalFileName, FolderPath, ProcessCommandLine, ProcessId | sort by TimeGenerated desc

DeviceProcessEvents // Processes launched from a user AppData folder (not the system path) | where FolderPath has "\\Users\\" and FolderPath has "\\AppData\\" and not(FolderPath has "\\Windows\\System32\\") // Identify entries where the original file name is PowerShell but the actual file name differs | where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" and tolower(FileName) != "powershell.exe" // Aggregate by the masquerade filename | summarize Occurrences = count() by MasqueradeFile = FileName | sort by Occurrences desc

DeviceProcessEvents | where FolderPath has "\\AppData\\" // Running out of a user profile AppData folder | where ProcessVersionInfoOriginalFileName endswith "powershell.exe" // Internally still PowerShell | where FileName != "powershell.exe" // Exclude the real PowerShell binary name | distinct FileName