Investigating PowerShell Attacks in Microsoft Defender XDR.
PowerShell executed.
Nobody noticed.
Until the command line revealed what really happened.
Agent Foskett followed the evidence.
Lesson overview
Learn how to investigate malicious PowerShell activity by analysing process creation, encoded commands, suspicious parent processes, downloads, network activity and file evidence.
Why PowerShell attacks matter
The PowerShell attack investigation workflow
Step 1 — Find PowerShell execution
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| project Timestamp,
DeviceName,
AccountName,
AccountUpn,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 2 — Look for encoded commands
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-enc", "-encodedcommand", "EncodedCommand")
| project Timestamp,
DeviceName,
AccountName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 3 — Review suspicious parent processes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "msedge.exe", "chrome.exe", "wscript.exe", "cscript.exe")
| project Timestamp,
DeviceName,
AccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
ProcessCommandLine
| order by Timestamp desc
Step 4 — Find download behaviour
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Invoke-WebRequest", "iwr", "curl", "wget", "WebClient", "DownloadString", "DownloadFile")
| project Timestamp,
DeviceName,
AccountName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 5 — Correlate PowerShell with network activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| project ProcessTime = Timestamp,
DeviceId,
DeviceName,
AccountName,
ProcessCommandLine
| join kind=inner (
DeviceNetworkEvents
| project NetworkTime = Timestamp,
DeviceId,
InitiatingProcessFileName,
RemoteUrl,
RemoteIP,
RemotePort
) on DeviceId
| where NetworkTime between (ProcessTime .. ProcessTime + 30m)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| order by NetworkTime asc
Step 6 — Check files created after PowerShell
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| project ProcessTime = Timestamp,
DeviceId,
DeviceName,
AccountName,
ProcessCommandLine
| join kind=inner (
DeviceFileEvents
| project FileTime = Timestamp,
DeviceId,
FileName,
FolderPath,
SHA256,
InitiatingProcessFileName
) on DeviceId
| where FileTime between (ProcessTime .. ProcessTime + 30m)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| order by FileTime asc
How to read the evidence
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating PowerShell Attacks in Microsoft Defender XDR
Agent Foskett Academy Lesson 82 teaches defenders how to investigate PowerShell attacks in Microsoft Defender XDR.
Defender XDR PowerShell attack investigation workflow
This lesson explains how DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, ProcessCommandLine, InitiatingProcessFileName, encoded commands, download cradles, RemoteUrl, RemoteIP and file hashes help defenders reconstruct malicious PowerShell activity.
