gpt-5-mini-medium

let PingCommandPatterns = dynamic(["\bping\b","\bping6\b","\b/ping\b"]); // Extract target (IP or hostname) from command line let extractTarget = (cmd:string){ // match IPv4 extract(@"((?:[0-9]{1,3}\.){3}[0-9]{1,3})", 1, cmd) // if no IPv4, try IPv6 // fallback to hostname-like token after ping // we'll use coalesce in caller }; ( DeviceProcessEvents | where TimeGenerated between (startofday(now(-7d)) .. now()) | where tolower(ProcessCommandLine) contains "ping" | extend TargetIP = extract(@"((?:[0-9]{1,3}\.){3}[0-9]{1,3})", 1, ProcessCommandLine) | extend TargetIPv6 = extract(@"([0-9a-fA-F:]{3,})", 1, ProcessCommandLine) | extend TargetHost = tostring(split(ProcessCommandLine, ' ')[-1]) | extend Target = iif(isnotempty(TargetIP), TargetIP, iif(isnotempty(TargetIPv6), TargetIPv6, TargetHost)) | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, Target, TargetIP, TargetIPv6 ) | union ( DeviceEvents | where TimeGenerated between (startofday(now(-7d)) .. now()) | where tolower(ProcessCommandLine) contains "ping" | extend TargetIP = extract(@"((?:[0-9]{1,3}\.){3}[0-9]{1,3})", 1, ProcessCommandLine) | extend TargetIPv6 = extract(@"([0-9a-fA-F:]{3,})", 1, ProcessCommandLine) | extend TargetHost = tostring(split(ProcessCommandLine, ' ')[-1]) | extend Target = iif(isnotempty(TargetIP), TargetIP, iif(isnotempty(TargetIPv6), TargetIPv6, TargetHost)) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessId=ProcessId, ProcessCommandLine, Target, TargetIP, TargetIPv6 ) | union ( DeviceNetworkEvents | where TimeGenerated between (startofday(now(-7d)) .. now()) | where Protocol == "ICMP" or tolower(RemoteUrl) contains "icmp" or tolower(AdditionalFields) contains "icmp" | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, RemoteIP, RemotePort, Protocol, ProcessCommandLine=InitiatingProcessCommandLine ) | extend DetectedTarget = coalesce(Target, RemoteIP) | where isnotempty(DetectedTarget) | sort by TimeGenerated desc | distinct DeviceName, DetectedTarget, AccountName, ProcessId, ProcessCommandLine, RemoteIP, TimeGenerated

let shadow_patterns = dynamic(["/etc/shadow","etc/shadow","shadow"]); // Find process events where the initiating process command line reads /etc/shadow and uses redirection DeviceProcessEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) | where isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) | extend cmd = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | where cmd has "/etc/shadow" or cmd has "etc/shadow" | where cmd matches regex @"[>]{1,2}\s*[^\s]+$" or cmd contains ">" or cmd contains ">>" | extend redirected = extract(@"[>]{1,2}\s*([^\s]+)$", 1, cmd) | extend redirected = trim('\"''', redirected) | extend InitiatingAccount = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName) | project TimeGenerated, DeviceName, InitiatingAccount, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, ProcessCommandLine, redirected | where isnotempty(redirected) | summarize any(InitiatingProcessFileName), any(DeviceName), any(InitiatingAccount), any(InitiatingProcessId), make_set(redirected) by redirected | order by tostring(redirected) asc // Additionally, search DeviceFileEvents for writes that could be the target file | union ( DeviceFileEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) | where ActionType in ("FileCreated", "FileModified", "FileWritten", "FileCreatedByProcess") or FileName has_any ("shadow", "shadow_export") | extend fullpath = strcat(FolderPath, "/", FileName) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, fullpath ) | summarize by redirected

// Identify usage of Windows Credential Manager listing commands (cmdkey /list or KRShowKeyMgr via rundll32) let cmd_names = dynamic(["cmdkey.exe","cmdkey","rundll32.exe","rundll32"]); // Search process events where the commanded process is cmdkey or rundll32 calling keymgr.dll union isfuzzy=true (DeviceProcessEvents | where tostring(ProcessCommandLine) has_any ("cmdkey","/list","/list:") or (FileName has_cs "cmdkey" and ProcessCommandLine!="") | extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceProcessEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine ), (DeviceEvents | where isnotempty(ProcessCommandLine) and (tolower(ProcessCommandLine) has "cmdkey" or tolower(ProcessCommandLine) has "krshowkeymgr" or (tolower(ProcessCommandLine) has "rundll32" and tolower(ProcessCommandLine) has "keymgr")) | extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine ) | where CmdLine has_any ("cmdkey","/list","krshowkeymgr","keymgr") | where CmdLine !has "cmdkey /delete" // exclude deletes to focus on listing | extend CmdLineClean = trim(' ', CmdLine) | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, FileName=ProcFile, CmdLineClean, InitiatingProcessCommandLine=ProcInitiatingCmd, ProcessId | summarize count(), AnyTime = min(TimeGenerated) by CmdLineClean, DeviceName, DeviceId, FileName | order by AnyTime desc | take 100

( DeviceProcessEvents | where ProcessCommandLine has_any ("sc.exe","sc ","reg.exe","reg ","New-Service","InstallUtil.exe","installutil","schtasks","nssm","powershell") // match common service-creation patterns and a service name that includes "time"/"w32time"/"windows time" | where ProcessCommandLine matches regex @"(?i).*(((\bsc(\.exe)?\b).*\bcreate\b)|((\breg(\.exe)?\b).*\badd\b)|(\bNew-Service\b)|(\bInstallUtil\b)|(\bschtasks\b.*\bcreate\b)).*(time|w32time|windows\s*time).*" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessId, InitiatingProcessId ) | union ( DeviceRegistryEvents | where RegistryKey contains "SYSTEM\\CurrentControlSet\\Services" // registry key name contains "time" (covers similarly-named crafted service keys) | where tolower(RegistryKey) contains "time" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessId ) | order by TimeGenerated desc | limit 50

let keywords = dynamic(["netsh wlan","netsh wlan show profile","key=clear","show profile","wlan show profile","wlan show profiles","netsh.exe wlan","netsh.exe \"wlan\"","netsh wlan show","netsh.exe /c netsh wlan","/c netsh wlan","powershell.*netsh","cmd.exe.*netsh"]); // Search DeviceProcessEvents (recommended) for process command lines let procEvents = DeviceProcessEvents | where TimeGenerated >= ago(30d) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where FileName has_cs "netsh" or ProcessCommandLine has_cs "netsh" or ProcessCommandLine has_cs "wlan" or ProcessCommandLine has_cs "key=clear" or ProcessCommandLine has_cs "show profile" | where FileName contains_cs "netsh" or ProcessCommandLine matches regex @"(?i)\bnetsh\b.*\bwlan\b|\bwlan\b.*\bshow\b.*\bprofile\b|key=clear" | project TimeGenerated, DeviceName, DeviceId, AccountDomain = AccountDomain, AccountName = AccountName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine, FileName, FolderPath, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, TenantId ; // Also search DeviceEvents (covers process create logs elsewhere) let devEvents = DeviceEvents | where TimeGenerated >= ago(30d) | where ActionType has_cs "ProcessCreated" or ProcessCommandLine has_cs "netsh" or ProcessCommandLine has_cs "wlan" or ProcessCommandLine has_cs "key=clear" or InitiatingProcessCommandLine has_cs "netsh" | where ProcessCommandLine matches regex @"(?i)\bnetsh\b.*\bwlan\b|\bwlan\b.*\bshow\b.*\bprofile\b|key=clear" | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCommandLine, FileName, FolderPath, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, TenantId, ActionType ; procEvents | union devEvents | extend Matched = iff(ProcessCommandLine has_cs "key=clear" or ProcessCommandLine has_cs "show profile" or ProcessCommandLine has_cs "wlan show", true, false) | extend CommandLineLower = tolower(tostring(ProcessCommandLine)) | extend Trigger = case(CommandLineLower contains "key=clear", "key=clear", CommandLineLower contains "show profile", "show profile", CommandLineLower contains "wlan", "wlan", CommandLineLower contains "netsh", "netsh", "other") | where Matched == true | summarize arg_max(ProcessCreationTime, *) by ProcessId | project ProcessCreationTime, TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, FileName, FolderPath, ProcessCommandLine, Trigger, ReportId, TenantId | order by ProcessCreationTime desc | take 100

union DeviceProcessEvents, DeviceEvents | where isnotempty(ProcessCommandLine) | where tolower(ProcessCommandLine) has_any ("powershell","pwsh") // Match common encoded-argument forms and a sufficiently long Base64-like token to reduce false positives | where ProcessCommandLine matches regex @"(?i)(?:-enc(?:odedcommand)?|-e)\s+([A-Za-z0-9+/=]{40,})" | extend EncodedPayload = extract(@"(?i)(?:-enc(?:odedcommand)?|-e)\s+([A-Za-z0-9+/=]{40,})", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, EncodedPayload | summarize Count = count(), SampleCommands = make_list(ProcessCommandLine, 5), EncodedSamples = make_list(EncodedPayload, 5), Devices = make_list(DeviceName, 5) by InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Count desc

union DeviceProcessEvents, DeviceEvents | where FileName =~ "cmd.exe" or ProcessCommandLine has "cmd.exe" | where ProcessCommandLine has "ping" | where ( tolower(ProcessCommandLine) contains "for" or ProcessCommandLine contains "%i" or ProcessCommandLine contains "%%i" or tolower(ProcessCommandLine) contains " do " ) // get the most recent record for each distinct command line | summarize arg_max(TimeGenerated, *) by ProcessCommandLine | project TimeGenerated, DeviceName, ProcessId, InitiatingProcessId, InitiatingProcessFileName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine | sort by TimeGenerated desc

// PowerShell + lsass memory dump investigation let indicators = dynamic(["lsass","lsass.exe","dump","procdump",".dmp","minidumpwritedump","comsvcs.dll","rundll32"]); let proc = DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or ProcessCommandLine has_cs "powershell.exe" or ProcessCommandLine has_cs "pwsh.exe" | where ( ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "lsass.exe" or ProcessCommandLine has_cs "dump" or ProcessCommandLine has_cs "procdump" or ProcessCommandLine has_cs ".dmp" or ProcessCommandLine has_cs "MiniDumpWriteDump" or ProcessCommandLine has_cs "comsvcs.dll" or ProcessCommandLine has_cs "rundll32" ) | extend Cmd = ProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = ProcessId, User = AccountName | extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd) | extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd) | extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd) | extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, "")) | project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator; let dev = DeviceEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where isnotempty(InitiatingProcessCommandLine) | where ActionType has_cs "ProcessCreated" or ActionType has_cs "Create" or ActionType has_cs "Process" | where InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell.exe" or InitiatingProcessCommandLine has_cs "pwsh.exe" | where ( InitiatingProcessCommandLine has_cs "lsass" or InitiatingProcessCommandLine has_cs "lsass.exe" or InitiatingProcessCommandLine has_cs "dump" or InitiatingProcessCommandLine has_cs "procdump" or InitiatingProcessCommandLine has_cs ".dmp" or InitiatingProcessCommandLine has_cs "MiniDumpWriteDump" or InitiatingProcessCommandLine has_cs "comsvcs.dll" or InitiatingProcessCommandLine has_cs "rundll32" ) | extend Cmd = InitiatingProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = InitiatingProcessId, User = InitiatingProcessAccountName | extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd) | extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd) | extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd) | extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, "")) | project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator; proc | union dev | summarize FirstSeen=min(Time), LastSeen=max(Time), Count=count(), SampleCmd=any(Cmd), SamplePotentialIndicator=any(PotentialIndicator) by Device, User, PID, ScriptName, EXEInvoked, DmpFile | where Count > 0 | order by LastSeen desc | top 100 by LastSeen | project Device, User, PID, ScriptName, EXEInvoked, DmpFile, SamplePotentialIndicator, FirstSeen, LastSeen, Count

let keywords = dynamic(["ss","netstat","ip route","ip -s","ip -s -s","ip neigh","ip route show cache","route -n","tc","tc -s"]); let proc = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId = DeviceId, ProcessCommandLine, FileName = FileName, ProcessId, AccountName, AccountDomain = AccountDomain; let dev = DeviceEvents | where isnotempty(InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId = DeviceId, ProcessCommandLine = InitiatingProcessCommandLine, FileName = iff(isnotempty(FileName), FileName, InitiatingProcessFileName), ProcessId = InitiatingProcessId, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain; proc | union dev | extend cmdLower = tolower(tostring(ProcessCommandLine)) // match utilities or mentions of metrics/cache/tcp | where cmdLower has_any (keywords) or cmdLower contains "metric" or cmdLower contains "cache" or cmdLower contains "tcp" or cmdLower contains "tcpmss" or cmdLower contains "mss" or cmdLower matches regex @"route.*cache" // exclude loopback interfaces and localhost addresses | where not(cmdLower contains "127.0.0.1" or cmdLower contains "::1" or cmdLower matches regex @"\b(lo|loopback)\b") // extract likely utility name | extend Utility = extract(@"(?i)\b(ss|netstat|ip|route|tc)\b", 1, cmdLower) | summarize Count = count(), SampleCommands = make_set(ProcessCommandLine, 10), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Utility, DeviceName, DeviceId | where isnotempty(Utility) | order by Count desc, LastSeen desc | project Utility, DeviceName, DeviceId, Count, FirstSeen, LastSeen, SampleCommands

// Find PowerShell processes that enumerated network connections union isfuzzy=true DeviceEvents , DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // Filter for PowerShell process executables or PowerShell in command line | where (FileName has_cs "powershell" or FileName has_cs "pwsh" or ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or InitiatingProcessFileName has_cs "powershell" or InitiatingProcessFileName has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh") // Look for network enumeration cmdlets or tools commonly used | where ProcessCommandLine has_cs "Get-NetTCPConnection" or ProcessCommandLine has_cs "Get-NetUDPEndpoint" or ProcessCommandLine has_cs "Get-NetTCPStatistics" or ProcessCommandLine has_cs "Get-NetUDPEndpoint" or ProcessCommandLine has_cs "netstat" or ProcessCommandLine has_cs "Get-NetTCP" or InitiatingProcessCommandLine has_cs "Get-NetTCPConnection" or InitiatingProcessCommandLine has_cs "Get-NetUDPEndpoint" or InitiatingProcessCommandLine has_cs "Get-NetTCPStatistics" or InitiatingProcessCommandLine has_cs "netstat" or InitiatingProcessCommandLine has_cs "Get-NetTCP" // Extract the cmdlet/tool name | extend Cmdlet = case( ProcessCommandLine has_cs "Get-NetTCPConnection" or InitiatingProcessCommandLine has_cs "Get-NetTCPConnection", "Get-NetTCPConnection", ProcessCommandLine has_cs "Get-NetUDPEndpoint" or InitiatingProcessCommandLine has_cs "Get-NetUDPEndpoint", "Get-NetUDPEndpoint", ProcessCommandLine has_cs "Get-NetTCPStatistics" or InitiatingProcessCommandLine has_cs "Get-NetTCPStatistics", "Get-NetTCPStatistics", ProcessCommandLine has_cs "netstat" or InitiatingProcessCommandLine has_cs "netstat", "netstat", ProcessCommandLine has_cs "Get-NetTCP", "Get-NetTCP", "other") | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, Cmdlet, ReportId, TenantId | summarize Count = count(), Samples = make_list(pack('TimeGenerated', TimeGenerated, 'DeviceName', DeviceName, 'ProcessId', ProcessId, 'ProcessCommandLine', ProcessCommandLine, 'InitiatingProcessId', InitiatingProcessId, 'InitiatingProcessCommandLine', InitiatingProcessCommandLine), 5) by Cmdlet | order by Count desc

let ftp_ports = dynamic([21, 990, 2121, 8021]); // Candidate PowerShell process creations invoking FTP-related commands DeviceProcessEvents | where FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe' | where ProcessCommandLine has_any ('ftp','WebClient','FtpWebRequest','-Uri','-OutFile','Invoke-WebRequest','Start-BitsTransfer') | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | join kind=leftouter ( // Network events from same process or initiated by same process DeviceNetworkEvents | where RemotePort in (21, 990, 2121, 8021) or RemoteUrl has 'ftp' or RemoteUrl has 'ftps' | project NetworkTime=TimeGenerated, DeviceName, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl ) on DeviceName | where isnotempty(ProcessId) and (ProcessId == InitiatingProcessId or InitiatingProcessFileName has 'powershell' or InitiatingProcessCommandLine has 'ftp') | summarize NetworkEvents = make_set(pack('NetworkTime',NetworkTime,'RemoteIP',RemoteIP,'RemotePort',RemotePort,'RemoteUrl',RemoteUrl), 50), min(TimeGenerated), max(TimeGenerated) by DeviceName, ProcessId, FileName, ProcessCommandLine | extend StartTime = todatetime(min_TimeGenerated), EndTime = todatetime(max_TimeGenerated) | project StartTime, EndTime, DeviceName, ExfiltratingExecutable = FileName, ProcessId, ProcessCommandLine, NetworkEvents | order by StartTime desc | take 50

// Find dd processes reading from /proc/*/mem and determine output file let ddProcs = union ( DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has "dd" and ProcessCommandLine has "/proc/" and ProcessCommandLine has "mem" | extend Time = coalesce(ProcessCreationTime, TimeGenerated) | project Time, DeviceName, DeviceId, ProcessId, ProcessCommandLine, ProcessFileName = FileName ), ( DeviceEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has "dd" and ProcessCommandLine has "/proc/" and ProcessCommandLine has "mem" | extend Time = coalesce(ProcessCreationTime, TimeGenerated) | project Time, DeviceName, DeviceId, ProcessId, ProcessCommandLine, ProcessFileName = FileName ); let files = DeviceFileEvents | where isnotempty(FileName) | project FileTime = TimeGenerated, DeviceName, DeviceId, InitiatingProcessId, FileName, FolderPath, ActionType; ddProcs | extend of_param = extract(@"\bof=([^\s]+)", 1, ProcessCommandLine) | extend redirect_param = extract(@">\s*([^\s]+)", 1, ProcessCommandLine) | extend OutFile = coalesce(of_param, redirect_param) | join kind=leftouter ( files ) on DeviceId, $left.ProcessId == $right.InitiatingProcessId | extend FileMatchedTimeWindow = iff(FileTime >= Time - 1m and FileTime <= Time + 5m, true, false) | where isnotempty(OutFile) or FileMatchedTimeWindow == true | project Time, DeviceName, ProcessId, ProcessFileName, ProcessCommandLine, OutFile, MatchedFile = FileName, FolderPath, FileTime, ActionType | order by Time desc

DeviceProcessEvents | where FileName has_cs "schtasks" or ProcessCommandLine has_cs "schtasks" or FileName has_cs "at.exe" or ProcessCommandLine has_cs "at.exe" | where ProcessCommandLine has_cs "/create" or ProcessCommandLine has_cs "ONLOGON" or ProcessCommandLine has_cs "ONSTART" or ProcessCommandLine has_cs "\bat \b" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, InitiatingProcessId | extend Utility = case( FileName has_cs "schtasks" or ProcessCommandLine has_cs "schtasks","schtasks.exe", FileName has_cs "at.exe" or ProcessCommandLine has_cs "at.exe","at.exe", "unknown") | where Utility != "unknown" | order by Timestamp desc | take 100

let foodWords = dynamic(["cheese","cookie","biscuit","pepper","banana","orange","tomato","lettuce","pickle","donut","bagel","salami","cracker","jalapeno","cookie","apple","pear","grape","mango","melon","ham","bacon","sausage","olive","pepperoni","cinnamon","sugar","honey","nut","almond","peanut","walnut","chocolate"]); // Union the relevant tables and project common fields union isfuzzy=true (DeviceProcessEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceProcessEvents", FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)), (DeviceEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceEvents", FileName, ProcessCommandLine = ProcessCommandLine, InitiatingProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)), (DeviceFileEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceFileEvents", FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)), (DeviceImageLoadEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceImageLoadEvents", FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)) | extend combined = strcat(tolower(coalesce(ProcessCommandLine, "")), " ", tolower(coalesce(InitiatingProcessCommandLine, "")), " ", tolower(coalesce(FileName, "")), " ", tolower(coalesce(AdditionalFields, ""))) // Expand candidate words and filter to matches | mv-expand word = foodWords | where combined contains tolower(tostring(word)) | extend matchedFunction = tostring(word) // Summarize and cast matchedFunction to string to avoid dynamic grouping issues | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, matchedFunction = tostring(matchedFunction), SourceTable, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Count desc, FirstSeen asc | project DeviceName, matchedFunction, Count, FirstSeen, LastSeen, SourceTable, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName | take 100

union isfuzzy=true DeviceProcessEvents, DeviceEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(CmdLine) // indicators of runtime code construction/obfuscation or dynamic invocation | where CmdLine matches regex @"(?i)(\b(iex|invoke-expression|invokeexpression)\b|frombase64string|frombase64|\[char\]|-join\b|new-object\s+net\.webclient|downloadstring|invoke-webrequest|system\.reflection\.assembly::load|powershell\s+(-encodedcommand|\-e\b|/e\b)|certutil\s+-decode|mshta\b|cmd\.exe\s+/c|add-type|assembly\.load|reflection\.emit|dynamicmethod|createdelegate|ilgenerator|encodedcommand)" | extend ExecutingProcess = coalesce(FileName, InitiatingProcessFileName, tostring(split(trim('"', CmdLine), ' ')[0])) | summarize Occurrences = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ExecutingProcess | where isnotempty(ExecutingProcess) | order by Occurrences desc | top 20 by Occurrences // Also show recent raw samples for triage | union ( union isfuzzy=true DeviceProcessEvents, DeviceEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(CmdLine) | where CmdLine matches regex @"(?i)(\b(iex|invoke-expression|invokeexpression)\b|frombase64string|frombase64|\[char\]|-join\b|new-object\s+net\.webclient|downloadstring|invoke-webrequest|system\.reflection\.assembly::load|powershell\s+(-encodedcommand|\-e\b|/e\b)|certutil\s+-decode|mshta\b|cmd\.exe\s+/c|add-type|assembly\.load|reflection\.emit|dynamicmethod|createdelegate|ilgenerator|encodedcommand)" | extend ExecutingProcess = coalesce(FileName, InitiatingProcessFileName, tostring(split(trim('"', CmdLine), ' ')[0])) | project TimeGenerated, DeviceName, DeviceId, ProcessId, ExecutingProcess, CmdLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId, _ResourceId | order by TimeGenerated desc | take 200 )

// 1) base set of file events let fileEvents = DeviceFileEvents | where isnotempty(FileName) and isnotempty(FileSize) | project TimeGenerated, DeviceName, FolderPath, FileName, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields; // 2) Method A: parse AdditionalFields for explicit previous-size fields let fromAdditional = fileEvents | extend af = todynamic(AdditionalFields) | extend prevSize = tolong(coalesce(af.PreviousFileSize, af.PreviousSize, af.OldFileSize, af.OriginalFileSize, af.OldSize, af.PreviousFileSizeInBytes)) | where isnotempty(prevSize) and FileSize - prevSize == 1 | extend Source = "additional_field"; // 3) Method B: compare against immediate prior observed event for same file let fromOrdering = fileEvents | sort by DeviceName asc, FolderPath asc, FileName asc, TimeGenerated asc | serialize | extend prevDevice = prev(DeviceName), prevFolder = prev(FolderPath), prevFile = prev(FileName), prevSize = prev(FileSize), prevTime = prev(TimeGenerated) | where DeviceName == prevDevice and FolderPath == prevFolder and FileName == prevFile and isnotempty(prevSize) and FileSize - prevSize == 1 | extend Source = "ordering_prev"; // 4) Combine and summarize which utilities/commands invoked union fromAdditional, fromOrdering | project Source, TimeGenerated, DeviceName, FolderPath, FileName, prevSize, FileSize, SizeDelta = FileSize - prevSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | summarize Hits = count(), ExampleEvent = any(pack_all()) by InitiatingProcessFileName, InitiatingProcessCommandLine | order by Hits desc | take 50 // Optional: to inspect raw matching events instead of the summary, remove the summarize and project the detailed rows above.

union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents | extend Folder = tolower(coalesce(FolderPath, InitiatingProcessFolderPath, "")) | extend ProcFile = tolower(coalesce(FileName, InitiatingProcessFileName, FileName, "")) | extend OrigName = tolower(coalesce(ProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoInternalFileName, "")) | extend Cmd = tolower(tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ""))) // only consider binaries coming from an AppData folder (exclude System32) | where Folder contains "\\appdata\\" and Folder !contains "\\windows\\system32\\" // look for PowerShell indicators in version-info or command line (including encoded/IE/Invoke-Expression) | where OrigName contains "powershell" or Cmd contains "powershell" or Cmd contains "-enc" or Cmd contains "encodedcommand" or Cmd contains "invoke-expression" or Cmd contains "iex" // exclude legitimate powershell.exe by filename | where ProcFile !contains "powershell" // reduce noisy results: focus on filenames seen on limited number of devices (likely masquerades) | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count(), Devices = dcount(DeviceName), UniqueProcIds = dcount(coalesce(ProcessId, InitiatingProcessId)) by ProcFile, OrigName, Folder, Sha256 = coalesce(SHA256, InitiatingProcessSHA256), MD5 = coalesce(MD5, InitiatingProcessMD5) | where Devices <= 10 | order by FirstSeen desc | take 50

( DeviceEvents | where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" or FileName has_cs "pwsh" or InitiatingProcessFileName has_cs "pwsh" | where ProcessCommandLine has_any ("Get-Process","Get-CimInstance","Get-WmiObject","gwmi","Get-Process","get-process","Get-Process |","ps ","tasklist") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType ) | union ( DeviceProcessEvents | where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" or FileName has_cs "pwsh" or InitiatingProcessFileName has_cs "pwsh" | where ProcessCommandLine has_any ("Get-Process","Get-CimInstance","Get-WmiObject","gwmi","Get-Process","get-process","Get-Process |","ps ","tasklist") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine, ActionType ) | sort by TimeGenerated desc | extend Cmdlet = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Devices = make_set(DeviceName, 10), Accounts = make_set(AccountName, 10), Examples = make_set(Cmdlet, 5) by Cmdlet | project Cmdlet, Count, FirstSeen, LastSeen, Devices, Accounts, Examples | top 50 by LastSeen desc

// Locate dump file created by rundll32.exe leveraging COMSVCS.DLL against svchost let initiators = dynamic(["rundll32","rundll32.exe"]); union DeviceFileEvents, DeviceEvents | where (tostring(InitiatingProcessFileName) has_any (initiators) or (isnotempty(ProcessCommandLine) and ProcessCommandLine contains "rundll32") or tostring(FileName) has_any (initiators)) // Ensure the command line / additional fields reference comsvcs.dll | where (tolower(tostring(InitiatingProcessCommandLine)) contains "comsvcs.dll" or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) contains "comsvcs.dll") or tostring(AdditionalFields) contains "comsvcs.dll") // Ensure the command line / additional fields reference svchost | where (tolower(tostring(InitiatingProcessCommandLine)) contains "svchost" or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) contains "svchost") or tostring(AdditionalFields) contains "svchost") // Normalize file/folder fields | extend DumpFile = tostring(coalesce(FileName, PreviousFileName, "")), FolderPath = tostring(coalesce(FolderPath, "")) | where isnotempty(DumpFile) or tolower(FolderPath) contains "temp" // Look for Temp-like locations or common dump extensions | where tolower(FolderPath) contains "temp" or tolower(DumpFile) endswith ".dmp" or tolower(DumpFile) endswith ".mdmp" or tolower(DumpFile) endswith ".dump" or tolower(DumpFile) endswith ".tmp" or tolower(DumpFile) endswith ".bin" // Keep most recent per device+file and show relevant context | summarize arg_max(TimeGenerated, *) by DeviceId, DumpFile | where isnotempty(DumpFile) | project TimeGenerated, DeviceName, DeviceId, DumpFile, FolderPath, FileSize, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields | order by TimeGenerated desc

// Find Task Manager (taskmgr.exe) launched where initiating process is cmd.exe (or contains cmd) // Use DeviceProcessEvents primarily, fall back to DeviceEvents let process_table = DeviceProcessEvents; let event_table = DeviceEvents; process_table | where true // Filter to Task Manager processes by filename or commandline | where (tolower(FileName) has "taskmgr" ) or (tolower(ProcessCommandLine) has "taskmgr") // Ensure initiating process exists and is cmd | where (tolower(InitiatingProcessFileName) has "cmd") or (tolower(InitiatingProcessCommandLine) has "cmd") or (tolower(InitiatingProcessFileName) has "c:\\windows\\system32\\cmd.exe") | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId | sort by TimeGenerated desc | take 100 // Also check DeviceEvents for similar entries | union ( event_table | where true | where (tolower(FileName) has "taskmgr") or (tolower(ProcessCommandLine) has "taskmgr") or (tolower(ProcessCommandLine) has "taskmgr.exe") | where (tolower(InitiatingProcessFileName) has "cmd") or (tolower(InitiatingProcessCommandLine) has "cmd") | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId=InitiatingProcessId, InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId=ProcessId | sort by TimeGenerated desc | take 100 ) | sort by TimeGenerated desc | top 50 by TimeGenerated

// Find cmd.exe events that executed commands to list processes and identify which built-in tool was used DeviceEvents | where FileName =~ "cmd.exe" or InitiatingProcessFileName =~ "cmd.exe" // Time range will be applied externally by the query runtime | where tolower(tostring(ProcessCommandLine)) contains "tasklist" or tolower(tostring(ProcessCommandLine)) contains "wmic" or tolower(tostring(ProcessCommandLine)) contains "tlist" or tolower(tostring(ProcessCommandLine)) contains "get-process" or tolower(tostring(ProcessCommandLine)) contains "/c tasklist" or tolower(tostring(ProcessCommandLine)) contains "/c wmic" or tolower(tostring(ProcessCommandLine)) contains "/c tlist" or tolower(tostring(ProcessCommandLine)) contains "/c powershell" or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c powershell" | extend DetectedTool = case( tolower(tostring(ProcessCommandLine)) contains "tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist", "tasklist", tolower(tostring(ProcessCommandLine)) contains "wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic", "wmic", tolower(tostring(ProcessCommandLine)) contains "tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist", "tlist", tolower(tostring(ProcessCommandLine)) contains "get-process" or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process" or tolower(tostring(ProcessCommandLine)) contains "powershell" or tolower(tostring(InitiatingProcessCommandLine)) contains "powershell", "powershell Get-Process", "unknown") | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, AccountName, ActionType, DetectedTool | order by TimeGenerated desc // Also include a summarized view | union ( // summary DeviceEvents | where FileName =~ "cmd.exe" or InitiatingProcessFileName =~ "cmd.exe" | where tolower(tostring(ProcessCommandLine)) contains "tasklist" or tolower(tostring(ProcessCommandLine)) contains "wmic" or tolower(tostring(ProcessCommandLine)) contains "tlist" or tolower(tostring(ProcessCommandLine)) contains "get-process" or tolower(tostring(ProcessCommandLine)) contains "/c tasklist" or tolower(tostring(ProcessCommandLine)) contains "/c wmic" or tolower(tostring(ProcessCommandLine)) contains "/c tlist" or tolower(tostring(ProcessCommandLine)) contains "/c powershell" or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "/c powershell" | extend DetectedTool = case( tolower(tostring(ProcessCommandLine)) contains "tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist", "tasklist", tolower(tostring(ProcessCommandLine)) contains "wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic", "wmic", tolower(tostring(ProcessCommandLine)) contains "tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist", "tlist", tolower(tostring(ProcessCommandLine)) contains "get-process" or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process" or tolower(tostring(ProcessCommandLine)) contains "powershell" or tolower(tostring(InitiatingProcessCommandLine)) contains "powershell", "powershell Get-Process", "unknown") | summarize Count = count() by DetectedTool, DeviceName ) | limit 500

DeviceProcessEvents | where ( tolower(coalesce(ProcessCommandLine, "")) has "wmic" or tolower(coalesce(ProcessCommandLine, "")) has "get-wmiobject" or tolower(coalesce(ProcessCommandLine, "")) has "gwmi" or tolower(coalesce(ProcessCommandLine, "")) has "get-ciminstance" or tolower(coalesce(ProcessCommandLine, "")) has "invoke-wmimethod" or tolower(coalesce(ProcessCommandLine, "")) has "win32_process" or tolower(coalesce(FileName, "")) has "wmic" ) | extend DetectedUtility = case( tolower(coalesce(FileName, "")) has "wmic" or tolower(coalesce(ProcessCommandLine, "")) has "wmic", "wmic.exe", tolower(ProcessCommandLine) has "get-wmiobject" or tolower(ProcessCommandLine) has "gwmi" or tolower(ProcessCommandLine) has "invoke-wmimethod" or tolower(ProcessCommandLine) has "win32_process", "powershell (Get-WmiObject/gwmi)", tolower(ProcessCommandLine) has "get-ciminstance" or tolower(ProcessCommandLine) has "ciminstance", "powershell (Get-CimInstance)", "unknown" ) | project Timestamp, DeviceName, AccountName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, DetectedUtility, ReportId | order by ProcessCreationTime desc | take 100

// Detect likely Linux invocations of utilities that list TCP connections (ss, netstat, lsof, cat /proc/net/tcp, awk/grep patterns) let window = 30d; // Process-based evidence (command lines and file names) let proc = DeviceProcessEvents | where TimeGenerated >= ago(window) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend cmd = tostring(ProcessCommandLine), fname = tostring(FileName) | where cmd has_any ("ss","netstat","lsof","/proc/net/tcp","/proc/net/tcp6","cat") or fname in ("ss","netstat","lsof","cat") | extend utility = case( cmd matches regex '(^|\\s)ss(\\s|$)|(^|\\s)ss\\s+-', 'ss', cmd matches regex '(^|\\s)netstat(\\s|$)|(^|\\s)netstat\\s+-', 'netstat', cmd matches regex '(^|\\s)lsof(\\s|$)|(^|\\s)lsof\\s+-', 'lsof', (cmd matches regex 'cat\\s+/proc/net/tcp|cat\\s+/proc/net/tcp6|grep\\s+"\\^tcp"\\s+/proc/net/tcp') or (cmd has "awk" and cmd has "/proc/net/tcp"), 'cat/proc', fname in ("ss","netstat","lsof","cat"), fname, 'other') | project TimeGenerated, DeviceName, AccountName, ProcessId, FileName, ProcessCommandLine, utility; // Syslog-style messages and other DeviceEvents that may contain command strings let evt = DeviceEvents | where TimeGenerated >= ago(window) | extend msg = coalesce(tostring(ProcessCommandLine), tostring(AdditionalFields)) | where isnotempty(msg) | where msg has_any ("ss","netstat","lsof","/proc/net/tcp","cat /proc") | extend utility = case( msg matches regex '(^|\\s)ss(\\s|$)|(^|\\s)ss\\s+-', 'ss', msg matches regex '(^|\\s)netstat(\\s|$)|(^|\\s)netstat\\s+-', 'netstat', msg matches regex '(^|\\s)lsof(\\s|$)|(^|\\s)lsof\\s+-', 'lsof', msg matches regex 'cat\\s+/proc/net/tcp|cat\\s+/proc/net/tcp6|grep\\s+"\\^tcp"\\s+/proc/net/tcp|awk', 'cat/proc', 'other') | project TimeGenerated, DeviceName, AccountName, msg, utility; // Combine and summarize union proc, evt | summarize Count = count(), Examples = make_set(coalesce(ProcessCommandLine, msg), 5), Devices = make_set(DeviceName, 5), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by utility | order by Count desc

let wmiKeywords = dynamic(["Get-WmiObject","Get-CimInstance","Win32_Group","Win32_GroupUser","Win32_UserAccount","GroupComponent","associators of","Select-Object Name, *Group*","Get-LocalGroup","Get-LocalGroupMember","Net localgroup","wmic","Win32_Group.Name","Win32_UserAccount.Name","WHERE Name"]);let psBins = dynamic(["powershell.exe","pwsh.exe","pwsh","powershell_ise.exe","powershell" ]); // DeviceProcessEvents (preferred) let dpe = DeviceProcessEvents | where TimeGenerated >= ago(7d) | where FileName has_any (psBins) or ProcessCommandLine has_any (wmiKeywords) or ProcessCommandLine has_any (psBins) | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_any (wmiKeywords) or FileName has_any (psBins) | extend CommandLine = ProcessCommandLine, SourceTable = "DeviceProcessEvents" | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessId, InitiatingProcess = InitiatingProcessFileName, InitiatingProcessId = InitiatingProcessId, CommandLine, SourceTable; // DeviceEvents (broader) let de = DeviceEvents | where TimeGenerated >= ago(7d) | where FileName has_any (psBins) or ProcessCommandLine has_any (wmiKeywords) or tostring(AdditionalFields.CommandLine) has_any (wmiKeywords) | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields.CommandLine)) | where isnotempty(CommandLine) | extend SourceTable = "DeviceEvents" | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessId, InitiatingProcess = InitiatingProcessFileName, InitiatingProcessId = InitiatingProcessId, CommandLine, SourceTable; union dpe, de | where CommandLine has_any (wmiKeywords) or (FileName has_any (psBins) and CommandLine has "Get-") // If encoded command is present, still include if WMI keywords present; otherwise exclude -encodedcommand to show readable commands | where not(CommandLine has "-encodedcommand") or CommandLine has_any (wmiKeywords) | order by TimeGenerated desc | distinct TimeGenerated, DeviceName, AccountName, FileName, ProcessId, InitiatingProcess, InitiatingProcessId, CommandLine, SourceTable | top 100 by TimeGenerated

// Find process events where a command sets PSReadLine history to SaveNothing DeviceProcessEvents | where Timestamp between (startofday(ago(7d)) .. now()) | where tolower(FileName) in ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "pwsh", "powershell") or tolower(ProcessCommandLine) contains "set-psreadline" or tolower(ProcessCommandLine) contains "psreadline" or tolower(ProcessCommandLine) contains "HistorySaveStyle" | where // match common patterns that set history save style tolower(ProcessCommandLine) has "set-psreadlineoption" or tolower(ProcessCommandLine) has "historysavestyle" or tolower(ProcessCommandLine) has "set-psreadline" or tolower(ProcessCommandLine) has "psconsolehost" or tolower(ProcessCommandLine) has "setoptions" | extend MatchedCommand = ProcessCommandLine | project Timestamp, DeviceName, AccountName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedCommand | order by Timestamp desc | take 100

// Find PowerShell processes that reference RegisterByXml or mention .xml, extract XML names and correlate with .xml file events let process_candidates = DeviceProcessEvents | where tolower(ProcessCommandLine) contains "powershell" or tolower(FileName) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" | where ProcessCommandLine contains "RegisterByXml" or ProcessCommandLine contains ".xml" or tostring(AdditionalFields) contains "RegisterByXml" or tostring(AdditionalFields) contains ".xml" | extend XmlMatches = extract_all(@"([^\s]+\.xml)", ProcessCommandLine) | mv-expand XmlFile = XmlMatches to typeof(string) | project ProcTime=Timestamp, DeviceName, DeviceId, ProcessId, InitiatingProcessId, Account=AccountName, ProcessCommandLine, XmlFile; let file_events = DeviceFileEvents | where tolower(FileName) endswith ".xml" | where tolower(InitiatingProcessFileName) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "pwsh" | project FileTime=Timestamp, DeviceName, DeviceId, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId; let device_events_xml = DeviceEvents | where tostring(AdditionalFields) contains "RegisterByXml" or tostring(AdditionalFields) contains ".xml" | extend XmlMatches = extract_all(@"([^\s]+\.xml)", tostring(AdditionalFields)) | mv-expand XmlFile = XmlMatches to typeof(string) | project EvTime=Timestamp, DeviceName, DeviceId, ProcessCommandLine, XmlFile, Account=AccountName; process_candidates | join kind=leftouter (file_events) on DeviceId | where isnotempty(XmlFile) or (isnotnull(FileTime) and abs(datetime_diff('second', ProcTime, FileTime)) <= 120) | extend ObservedXml = iff(isnotempty(XmlFile), XmlFile, FileName) | project DeviceName, Account, ProcessId, InitiatingProcessId, ProcTime, FileTime, ObservedXml, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath | union (device_events_xml | project DeviceName, Account, ProcessId=long(null), InitiatingProcessId=long(null), ProcTime=EvTime, FileTime=EvTime, ObservedXml=XmlFile, ProcessCommandLine, InitiatingProcessFileName="", InitiatingProcessCommandLine="", FolderPath="") | where isnotempty(ObservedXml) | summarize FirstSeen=min(ProcTime), LastSeen=max(ProcTime), AnyCommands = make_set(ProcessCommandLine,5), FileEvents = make_set(pack('File',ObservedXml,'Folder',FolderPath,'InitiatingCmd',InitiatingProcessCommandLine),20) by DeviceName, Account, ObservedXml | order by FirstSeen desc | take 200

DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine contains_cs "wscript" or tolower(FileName) == "wscript.exe" | extend RawCmd = tostring(ProcessCommandLine) // try double-quoted script path e.g. "C:\path\script.js" | extend ScriptQuotedDouble = extract(@'"([^"]+\.(?:js|jse|wsf|vbs))"', 1, RawCmd) // try single-quoted script path e.g. 'C:\path\script.js' | extend ScriptQuotedSingle = extract(@"'([^']+\.(?:js|jse|wsf|vbs))'", 1, RawCmd) // try unquoted absolute path e.g. C:\path\script.js or \\host\share\script.js | extend ScriptUnquoted = extract(@"((?:[A-Za-z]:\\|\\\\)[^\s'\x22;|&]+\.(?:js|jse|wsf|vbs))", 1, RawCmd) | extend ScriptPath = coalesce(ScriptQuotedDouble, ScriptQuotedSingle, ScriptUnquoted) | where isnotempty(ScriptPath) | project TimeGenerated, DeviceName, ProcessId, FileName, InitiatingProcessFileName, InitiatingProcessId, RawCmd, ScriptPath | distinct TimeGenerated, DeviceName, ProcessId, FileName, InitiatingProcessFileName, InitiatingProcessId, RawCmd, ScriptPath | order by TimeGenerated desc | take 100

DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where tolower(FileName) == "schtasks.exe" or tolower(ProcessCommandLine) contains "schtasks" // Focus on task creation that references PowerShell (create + powershell/enc/command/file) | where tolower(ProcessCommandLine) contains "/create" and ( tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "-enc" or tolower(ProcessCommandLine) contains "-command" or tolower(ProcessCommandLine) contains "-file" ) | extend Cmd = tostring(ProcessCommandLine), InitiatorCmd = tostring(InitiatingProcessCommandLine), Additional = tostring(AdditionalFields) // Extract any .ps1-looking token from the different possible locations | extend Ps1_in_cmd = extract(@"([A-Za-z0-9_:\/\.\-]+\.ps1)", 1, Cmd) | extend Ps1_in_initiator = extract(@"([A-Za-z0-9_:\/\.\-]+\.ps1)", 1, InitiatorCmd) | extend Ps1_in_additional = extract(@"([A-Za-z0-9_:\/\.\-]+\.ps1)", 1, Additional) | extend Ps1 = coalesce(Ps1_in_cmd, Ps1_in_initiator, Ps1_in_additional) | where isnotempty(Ps1) | project TimeGenerated, DeviceName, DeviceId, AccountName, FileName, ProcessId, ProcessCreationTime, Cmd, InitiatorCmd, Additional, Ps1 | summarize occurrences = count(), firstSeen = min(TimeGenerated), lastSeen = max(TimeGenerated) by Ps1, DeviceName, DeviceId, AccountName | order by occurrences desc

let passwd_file_events = DeviceFileEvents | where FolderPath has "/etc" and (FileName == "passwd" or FileName contains "passwd") | where tolower(ActionType) has_any ("write","modify","modified","create","created","rename","delete") | project FileEventTime=TimeGenerated, DeviceName, DeviceId, ReportId, FileName, FolderPath, ActionType, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName; let processes_with_shell_change_indicators = DeviceProcessEvents | where tolower(ProcessCommandLine) has_any ("chsh","chsh -s","usermod -s","vipw") | project ProcessTime=TimeGenerated, DeviceName, DeviceId, ProcessId, ProcessCommandLine, AccountName = AccountName, ProcessFileName = FileName; passwd_file_events | join kind=leftouter ( DeviceProcessEvents | project ProcessTime=TimeGenerated, DeviceId, ProcessId, ProcessCommandLine, AccountName = AccountName, ProcessFileName = FileName ) on DeviceId, $left.InitiatingProcessId == $right.ProcessId | extend FullCommand = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | project EventTime = FileEventTime, DeviceName, DeviceId, Account = InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessId, ProcessId, FullCommand, FilePath = strcat(FolderPath, "/", FileName), ActionType | union ( processes_with_shell_change_indicators | extend EventTime = ProcessTime, FullCommand = ProcessCommandLine, FilePath = "", ActionType = "ProcessIndicatorMatched" | project EventTime, DeviceName, DeviceId, Account = AccountName, InitiatingProcessFileName = ProcessFileName, InitiatingProcessId = ProcessId, ProcessId, FullCommand, FilePath, ActionType ) | sort by EventTime desc | summarize arg_max(EventTime, *) by tostring(DeviceId), tostring(FullCommand), tostring(InitiatingProcessId) | project EventTime, DeviceName, DeviceId, Account, InitiatingProcessFileName, InitiatingProcessId, ProcessId, FullCommand, FilePath, ActionType | limit 100

// Find deletions of administrative shares (e.g., C$, ADMIN$, IPC$) performed via cmd.exe/net.exe/reg.exe union isfuzzy=true DeviceEvents, DeviceProcessEvents | where (ProcessCommandLine has_cs "net share" or ProcessCommandLine has_cs "net share" or InitiatingProcessCommandLine has_cs "net share" or ProcessCommandLine has_cs "net.exe" or InitiatingProcessCommandLine has_cs "net.exe" or ProcessCommandLine has_cs "reg delete" or InitiatingProcessCommandLine has_cs "reg delete" or ProcessCommandLine has_cs "sc delete" or InitiatingProcessCommandLine has_cs "sc delete") and (FileName has_cs "cmd.exe" or FileName has_cs "net.exe" or FileName has_cs "reg.exe" or FileName has_cs "sc.exe" or InitiatingProcessFileName has_cs "cmd.exe" or InitiatingProcessFileName has_cs "net.exe" or InitiatingProcessFileName has_cs "reg.exe" or InitiatingProcessFileName has_cs "sc.exe") | extend cmdline = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend share = extract(@"(?:net\s+share\s+)([A-Za-z0-9\$]+)", 1, tostring(cmdline)) | extend share_reg = extract(@"(?:\\\?\\)?HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\\.*?" , 0, tostring(RegistryKey)) | extend share2 = iff(isnotempty(share), share, extract(@"(?:/delete\s+|delete\s+)([A-Za-z0-9\$]+)", 1, tostring(cmdline))) | extend share3 = iff(isnotempty(share2), share2, extract(@"([A-Za-z]:\$|[A-Za-z0-9_]+\$)", 1, tostring(cmdline))) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, cmdline, share = share3 | where isnotempty(share) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count() by DeviceName, share | order by LastSeen desc