Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies PowerShell spawned by explorer.exe with a hidden window and a remote-execution or evasion flag. Consistent with BadUSB HID injection opening the Windows Run dialog via WIN+R; the explorer.exe parent is the keystroke- injection signal.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 683b2baa-39c3-457d-b64e-2e57c8fc83ba |
| Tactics | Execution, DefenseEvasion, InitialAccess |
| Techniques | T1059.001, T1564.003, T1200 |
| Required Connectors | MicrosoftThreatProtection |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/DeviceProcess/BadUSBPowerShellRunDialog.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊