The powercat-download rule detects adversaries using PowerShell-based tools to download and execute malicious payloads, leveraging the powercat framework to establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial access or persistence tactics early in the attack lifecycle.
KQL Query
DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where ProcessCommandLine endswith "powercat.ps1"
id: 12793a73-e49d-4b3d-bb87-e4d4a326d610
name: powercat-download
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query detects downloads of powercat, an exploitation tool for PowerShell. Although associated with these zero-day attacks, powercat is a multi-purpose tool that is also used by other groups of attackers.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Discovery
- Exfiltration
- Malware, component
query: |
DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where ProcessCommandLine endswith "powercat.ps1"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from an internal repository.
Filter/Exclusion: Exclude traffic originating from known admin workstations or IP addresses associated with internal update servers.
Scenario: A scheduled job runs PowerShell to fetch configuration files from a central management server using PowerShell remoting.
Filter/Exclusion: Exclude PowerShell scripts executed by scheduled tasks or from known configuration management tools like Ansible or Chef.
Scenario: An IT support team uses PowerShell to deploy a patch using PowerShell DSC (Desired State Configuration).
Filter/Exclusion: Exclude PowerShell scripts that match known DSC module names or are executed via the Microsoft PowerShell DSC service.
Scenario: A user runs PowerShell to download a legitimate third-party tool (e.g., Chocolatey) from a trusted repository.
Filter/Exclusion: Exclude downloads from known trusted repositories like chocolatey.org or GitHub with verified SSL certificates.
Scenario: A developer uses PowerShell to fetch code from a version control system (e.g., GitHub Actions) as part of a CI/CD pipeline.
Filter/Exclusion: Exclude PowerShell scripts executed from known CI/CD pipelines or against known development repositories.