Query Details

PowerShell No Profile (APT 28)

Power Shell No Profile

Query

DeviceProcessEvents
| where ProcessCommandLine has_all ("-nop", "powershell.exe")
| summarize TotalCommands = dcount(ProcessCommandLine), ExecutedCommands = make_set(ProcessCommandLine) by DeviceName

About this query

Explanation

This query is designed to detect suspicious activity associated with APT28, a known threat group. Specifically, it looks for instances where PowerShell is used in a potentially malicious way. The query focuses on PowerShell commands that include the "-nop" (no profile) and "powershell.exe" keywords, which are indicative of attempts to run PowerShell without loading user profiles, a common tactic used to evade detection.

Here's a simple breakdown of what the query does:

  1. Data Source: It examines events related to processes on devices, specifically looking at the command lines used to execute these processes.

  2. Filter Criteria: It filters for command lines that contain both "-nop" and "powershell.exe". This combination suggests that PowerShell is being run in a way that avoids loading user profiles, which can be a sign of malicious activity.

  3. Summarization: For each device, it counts the number of unique commands that match the criteria and lists these commands. This helps identify which devices have executed potentially suspicious PowerShell commands and what those commands were.

  4. Purpose: The goal is to identify and investigate devices that might be compromised by APT28, as these commands are similar to those used by the group in their attacks.

Overall, this query helps security teams monitor for and respond to potential threats from APT28 by identifying unusual PowerShell usage patterns.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessCommandLine

Operators

has_allsummarizedcountmake_setby

Actions

GitHub