Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Dev 0270 Detection and Hunting |
| ID | 422ca2bf-598b-4872-82bb-5f7e8fa731e7 |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | Exfiltration, DefenseEvasion |
| Techniques | T1048, T1562 |
| Required Connectors | SecurityEvents, WindowsSecurityEvents, MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
DeviceProcessEvents |
✓ | ✗ | ? |
SecurityEvent |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Dev 0270 Detection and Hunting