EXPLORE
Sign In
← Back to Explore
kqlHunting

PowerShell Defensive Evasion Detection

This query detects PowerShell commands using hidden windows or silent continue

Detection Query

//This query detects PowerShell commands using hidden windows or silent continue
//Helps identify attempts to hide malicious activity from users
DeviceProcessEvents
| where ProcessCommandLine has_all("SilentlyContinue","Start-Process -WindowStyle Hidden") //can switch to has_any also

Data Sources

DeviceProcessEvents

Platforms

windows

Tags

defender
Raw Content
//This query detects PowerShell commands using hidden windows or silent continue
//Helps identify attempts to hide malicious activity from users
DeviceProcessEvents
| where ProcessCommandLine has_all("SilentlyContinue","Start-Process -WindowStyle Hidden") //can switch to has_any also