-
Notifications
You must be signed in to change notification settings - Fork 0
/
MDE-Copy of unusual command query
25 lines (24 loc) · 2.16 KB
/
MDE-Copy of unusual command query
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period.
// This covers all Powershell commands executed in the Powershell engine by any process.
//let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
//let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
// Query for Powershell cmdlets
//let powershellCommands =
DeviceEvents
| where ActionType == "PowerShellCommand"
// Extract the powershell command name from the Command field in the AdditionalFields JSON column
| project PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string)), InitiatingProcessCommandLine, InitiatingProcessParentFileName, Timestamp, DeviceId
| where PowershellCommand !endswith ".ps1" and PowershellCommand !endswith ".exe";
// Filter Powershell cmdlets executed on relevant machine and time period
//powershellCommands | where DeviceId == DeviceId and Timestamp between ((timestamp-5min) .. 10min)
// Filter out common powershell cmdlets
//| join kind=leftanti (powershellCommands | summarize MachineCount=dcount(DeviceId) by PowershellCommand | where MachineCount > 20) on PowershellCommand
// To learn more about queries on Powershell commands, take a look this post: https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-PowerShell-commands/m-p/210898#M30
// Related queries:
// 1. Found a suspicious command? Let's pivot to see on which other machines it was executed:
// https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Execution/PowershellCommand%20footprint.txt
// 2. We know typing an exact timestamp could be annoying...
// Why not query for the timestamp of the event you're looking for instead?
// In example, when investigating at an alert, look for the powershell commands executed around the time of the first event detected in that alert.
// https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/General%20queries/Events%20surrounding%20alert.txt
// This query was updated on 2020-03-01 from https://github.com/Microsoft/windowsDefenderATP-Hunting-Queries/tree/master/Execution/PowershellCommand%20-%20uncommon%20commands%20on%20machine.txt