Malicious PowerShell scripts are often used by adversaries to execute arbitrary code and establish persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early in the attack chain.
YARA Rule
rule powershell {
strings:
$a = "powershell" nocase
condition:
$a
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task Using PowerShell
Description: A legitimate scheduled task runs a PowerShell script to perform system updates or maintenance.
Filter/Exclusion: Exclude scripts that match known system maintenance tools (e.g., Update-AppxProvisionedPackage, Start-Process -FilePath "wuauclt.exe") or use the Task Scheduler module.
Scenario: Admin Performing PowerShell Remoting (PSRemoting)
Description: An administrator uses PowerShell Remoting (Invoke-Command) to manage remote servers.
Filter/Exclusion: Exclude traffic involving PSRemoting or scripts that use New-PSSession and are initiated from known admin workstations or IP ranges.
Scenario: PowerShell Script for Log File Analysis
Description: A security analyst runs a script to parse and analyze log files using PowerShell.
Filter/Exclusion: Exclude scripts that access log files (e.g., Get-EventLog, Get-EventLog -LogName System) and are executed from known analyst workstations or user accounts.
Scenario: PowerShell Module for Software Deployment
Description: A script from a trusted deployment tool (e.g., SCCM, Chocolatey) is used to install software.
Filter/Exclusion: Exclude scripts that use known deployment tools (e.g., choco install, Start-Process -FilePath "setup.exe") or are signed by a trusted certificate.
Scenario: PowerShell Script for Backup Automation
Description: A script is used to automate backup processes using PowerShell.
Filter/Exclusion: Exclude scripts that interact with backup tools (e.g., Backup-Item, Get-ChildItem for backup directories) and are executed by backup service accounts or scheduled tasks.