Microsoft Defender XDR • PowerShell • Living Off The Land

Nothing Flagged The PowerShell Download

No malware alert appeared.

No obvious Defender incident was raised. The endpoint kept working, the browser never complained and the user noticed nothing strange.

But Microsoft Defender XDR still had the evidence.

PowerShell had quietly reached out to the Internet, downloaded a file and handed the investigation a behaviour trail that was more useful than any alert.

Agent Foskett Microsoft Defender XDR PowerShell download investigation
Briefing summary

Attackers do not always need custom malware. Sometimes they use trusted Windows tools to download, stage and execute activity quietly. The absence of an alert is not the absence of evidence.

No Obvious Alert
PowerShell Download
Network Evidence
Behaviour Over Alerts

No alert did not mean no activity

PowerShell was doing exactly what it was designed to do. That is what made the behaviour worth investigating.
A trusted binary PowerShell is built into Windows and commonly used by administrators, automation scripts and management tools.
A quiet download The command retrieved content over the network without creating an obvious user-facing event.
A behaviour trail Even without an alert, Defender telemetry can show process execution, command lines, network connections and file writes.

What Defender XDR can show

A PowerShell download investigation usually crosses process, network and file telemetry.
DeviceProcessEvents Start with the command line. Look for download verbs, encoded commands, hidden windows and suspicious parents.
DeviceNetworkEvents Review where PowerShell connected, what URL or IP was contacted, and whether the destination fits normal behaviour.
DeviceFileEvents Confirm whether the downloaded content created or modified files in Temp, AppData, ProgramData or other staging paths.

Find suspicious PowerShell downloads

Search for common PowerShell download patterns and living-off-the-land transfer commands.
find-suspicious-powershell-downloads.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "Invoke-WebRequest",
    "iwr",
    "DownloadString",
    "DownloadFile",
    "WebClient",
    "curl",
    "wget",
    "Start-BitsTransfer"
)
| project
    Timestamp,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    FileName,
    ProcessCommandLine
| order by Timestamp desc

Why attackers love PowerShell

The technique is powerful because the tool is already present and often trusted.
Already installed Attackers do not need to bring a downloader if the endpoint already contains one.
Administrator friendly PowerShell is normal in many environments, which makes suspicious use harder to spot without context.
Internet capable A short command can retrieve remote content, execute code, write files or start the next stage of an attack.

Review PowerShell network activity

Use network telemetry to identify where PowerShell connected and what process command line initiated the connection.
review-powershell-network-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project
    Timestamp,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    RemoteUrl,
    RemoteIP,
    RemotePort,
    Protocol
| order by Timestamp desc

The download was only one step

A file download becomes more important when it is followed by execution, persistence or outbound communication.
What launched PowerShell? A browser, Office app, script host or email client launching PowerShell changes the context immediately.
What did it download? Look for file writes, hashes, suspicious extensions and staging paths after the network request.
What happened next? Execution after download can reveal the real payload, persistence mechanism or follow-on command chain.

Find files created by PowerShell

Downloads often leave a trace in user-writable folders, temporary paths or staging directories.
find-files-created-by-powershell.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
DeviceFileEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| project
    Timestamp,
    DeviceName,
    ActionType,
    FolderPath,
    FileName,
    SHA256,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine
| order by Timestamp desc

Look for obfuscation and stealth

A simple download is suspicious enough. Hidden windows, encoded commands and execution bypasses raise the priority.
look-for-powershell-obfuscation-and-stealth.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "-EncodedCommand",
    "-enc",
    "-nop",
    "-w hidden",
    "-windowstyle hidden",
    "bypass",
    "DownloadString",
    "Invoke-Expression",
    "IEX"
)
| project
    Timestamp,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    FileName,
    ProcessCommandLine
| order by Timestamp desc

Why nothing flagged it

Many quiet attacks are made from legitimate pieces arranged in suspicious ways.
Legitimate binary The process name alone may not be malicious. PowerShell is expected in many managed environments.
Legitimate protocol HTTPS traffic to the Internet is common. The destination and command context matter more than the protocol.
Legitimate user If the command runs in the user context, it may not immediately look like privilege escalation or malware execution.

Build the investigation timeline

Correlate process, network, file and registry activity around the endpoint and time window.
build-the-powershell-download-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
let InvestigationDevice = "DEVICE-NAME-HERE";
let StartTime = ago(1d);
union isfuzzy=true
(
    DeviceProcessEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="Process", ActionType, Detail=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
    DeviceNetworkEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="Network", ActionType, Detail=strcat(RemoteUrl, " ", RemoteIP, ":", RemotePort), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
    DeviceFileEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="File", ActionType, Detail=strcat(FolderPath, "\", FileName), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
    DeviceRegistryEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="Registry", ActionType, Detail=strcat(RegistryKey, " ", RegistryValueName, " ", RegistryValueData), InitiatingProcessFileName, InitiatingProcessCommandLine
)
| order by Timestamp asc

What investigators should ask

The best PowerShell download investigations move beyond the single command.
Was PowerShell expected? Compare the account, parent process, device role and time of execution against normal administrative activity.
Was the destination trusted? Review the URL, domain, IP address, certificate context and whether other devices contacted the same destination.
Did the payload run? Pivot into file creation, process execution, registry changes and scheduled tasks after the download.

Related investigations

Continue the investigation through AppData execution, persistence, process trees and PowerShell analysis.
The Script Ran From AppData Investigate suspicious script execution from user-writable folders.
The Scheduled Task Was The Persistence Follow persistence after the initial command or payload disappears.
The Child Process Shouldn't Have Existed Use parent-child process relationships to explain suspicious execution.
The PowerShell Command Was Base64 Encoded Understand encoded PowerShell and command-line obfuscation.
The Browser Spawned PowerShell Investigate unexpected browser-to-PowerShell execution chains.
The Timeline Told The Story Build a defensible timeline across Microsoft Defender XDR evidence.
Need help investigating endpoint behaviour?
GEMXIT helps organisations understand Microsoft Defender XDR evidence, endpoint telemetry, KQL hunting and practical incident response.
Contact GEMXIT

Final thought

Nothing looked malicious until the behaviour was connected.
At GEMXIT We help organisations investigate Microsoft Defender XDR, endpoint security, PowerShell execution, living-off-the-land behaviour and practical threat hunting. If you want to understand how this applies to your environment, see our Microsoft Security services.
Agent Foskett mindset Do not stop because there was no alert. If the behaviour is unusual, the investigation is still real.
Develop IT. Protect IT. PowerShell did what it was built to do. The evidence showed why that mattered. GEMXIT PTY LTD | GEMXIT UK LTD

Nothing Flagged The PowerShell Download

This Agent Foskett investigation explains how PowerShell can download files without producing an obvious alert and how Microsoft Defender XDR helps defenders investigate the behaviour.

Microsoft Defender XDR PowerShell Download Investigation

DeviceProcessEvents, DeviceNetworkEvents and DeviceFileEvents can help defenders investigate Invoke-WebRequest, DownloadString, WebClient, Start-BitsTransfer and suspicious PowerShell network activity.

KQL Hunting For Living Off The Land PowerShell Activity

Defenders can use KQL to hunt for PowerShell downloads, suspicious command lines, network connections, file writes, encoded commands, hidden windows and post-download execution.