Nothing Flagged The PowerShell Download
No malware alert appeared.
No obvious Defender incident was raised. The endpoint kept working, the browser never complained and the user noticed nothing strange.
But Microsoft Defender XDR still had the evidence.
PowerShell had quietly reached out to the Internet, downloaded a file and handed the investigation a behaviour trail that was more useful than any alert.

Briefing summary
Attackers do not always need custom malware. Sometimes they use trusted Windows tools to download, stage and execute activity quietly. The absence of an alert is not the absence of evidence.
No alert did not mean no activity
What Defender XDR can show
Find suspicious PowerShell downloads
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
"Invoke-WebRequest",
"iwr",
"DownloadString",
"DownloadFile",
"WebClient",
"curl",
"wget",
"Start-BitsTransfer"
)
| project
Timestamp,
DeviceName,
AccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName,
ProcessCommandLine
| order by Timestamp desc
Why attackers love PowerShell
Review PowerShell network activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RemoteUrl,
RemoteIP,
RemotePort,
Protocol
| order by Timestamp desc
The download was only one step
Find files created by PowerShell
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
DeviceFileEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| project
Timestamp,
DeviceName,
ActionType,
FolderPath,
FileName,
SHA256,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp desc
Look for obfuscation and stealth
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
"-EncodedCommand",
"-enc",
"-nop",
"-w hidden",
"-windowstyle hidden",
"bypass",
"DownloadString",
"Invoke-Expression",
"IEX"
)
| project
Timestamp,
DeviceName,
AccountName,
InitiatingProcessFileName,
FileName,
ProcessCommandLine
| order by Timestamp desc
Why nothing flagged it
Build the investigation timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
let InvestigationDevice = "DEVICE-NAME-HERE";
let StartTime = ago(1d);
union isfuzzy=true
(
DeviceProcessEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="Process", ActionType, Detail=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
DeviceNetworkEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="Network", ActionType, Detail=strcat(RemoteUrl, " ", RemoteIP, ":", RemotePort), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
DeviceFileEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="File", ActionType, Detail=strcat(FolderPath, "\", FileName), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
DeviceRegistryEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="Registry", ActionType, Detail=strcat(RegistryKey, " ", RegistryValueName, " ", RegistryValueData), InitiatingProcessFileName, InitiatingProcessCommandLine
)
| order by Timestamp asc
What investigators should ask
Related investigations
Final thought
Nothing Flagged The PowerShell Download
This Agent Foskett investigation explains how PowerShell can download files without producing an obvious alert and how Microsoft Defender XDR helps defenders investigate the behaviour.
Microsoft Defender XDR PowerShell Download Investigation
DeviceProcessEvents, DeviceNetworkEvents and DeviceFileEvents can help defenders investigate Invoke-WebRequest, DownloadString, WebClient, Start-BitsTransfer and suspicious PowerShell network activity.
KQL Hunting For Living Off The Land PowerShell Activity
Defenders can use KQL to hunt for PowerShell downloads, suspicious command lines, network connections, file writes, encoded commands, hidden windows and post-download execution.
