Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "wmic process list" or ProcessCommandLine contains "Get-Process" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "Get-WmiObject" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where ActionType == 'ProcessCreated' | where FileName endswith '.exe' | summarize count() by InitiatingProcessFileName

DeviceProcessEvents | where (InitiatingProcessCommandLine has_any('wmic', 'Get-WmiObject', 'gwmi', 'select', 'from', 'Win32_Process') or InitiatingProcessFileName =~ 'powershell.exe') | where InitiatingProcessCommandLine has 'list' or InitiatingProcessCommandLine contains 'Select *' | project DeviceName, InitiatingProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where (tolower(FileName) == "wmic.exe" and ProcessCommandLine has_all ("process", "list")) or (tolower(FileName) == "powershell.exe" and (ProcessCommandLine has "Get-WmiObject" or ProcessCommandLine has "Get-CimInstance") and ProcessCommandLine has "Win32_Process") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine contains "wmic" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "Invoke-WmiMethod" or FileName == "wmic.exe" or FileName == "powershell.exe" | project DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, ProcessCreationTime | sort by ProcessCreationTime desc | take 50

DeviceProcessEvents | where ProcessCommandLine contains "wmic process list" or ProcessCommandLine contains "powershell Get-Process" or ProcessCommandLine contains "tasklist" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where isnotempty(ProcessCommandLine) // lowercase helpers for case-insensitive matching | extend fn = tolower(FileName) | extend lcmd = tolower(ProcessCommandLine) // WMIC patterns for process enumeration | extend isWMIC = (fn == "wmic.exe" and (lcmd has " win32_process" or lcmd matches regex "\\bpath\\s+win32_process\\b" or lcmd matches regex "\\bprocess(\\s+list|\\s+where|\\s+get|\\s+call)\\b")) | extend isWMICRemote = isWMIC and (lcmd has "/node:" or lcmd matches regex "\\b/node:\\s*\\S+") // PowerShell WMI/CIM patterns for Win32_Process | extend isPSCim = (fn in ("powershell.exe","pwsh.exe") and lcmd matches regex "\\b(get-ciminstance|gcim)\\b.*\\b(win32_process)\\b") | extend isPSWmi = (fn in ("powershell.exe","pwsh.exe") and lcmd matches regex "\\b(get-wmiobject|gwmi)\\b.*\\b(win32_process)\\b") | extend isPSRemote = (isPSCim or isPSWmi) and (lcmd has "-computername" or lcmd has "-cimsession" or lcmd matches regex "\\bnew-cimsession\\b") // VBScript via WMI (best-effort based on CLI) | extend isVBSWmi = (fn in ("cscript.exe","wscript.exe") and lcmd matches regex "\\b(winmgmts:|win32_process|root\\\\cimv2)\\b") | where isWMIC or isPSCim or isPSWmi or isVBSWmi | extend Utility = case( isWMICRemote, "WMIC (remote)", isWMIC, "WMIC", isPSRemote and isPSCim, "PowerShell Get-CimInstance (remote)", isPSCim, "PowerShell Get-CimInstance", isPSRemote and isPSWmi, "PowerShell Get-WmiObject/gwmi (remote)", isPSWmi, "PowerShell Get-WmiObject/gwmi", isVBSWmi, "VBScript via WMI", "Other" ) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, Utility, InitiatingProcessParentFileName, InitiatingProcessParentId | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleCommand = take_any(ProcessCommandLine) by Utility, DeviceName, AccountName | order by LastSeen desc, Count desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | where ProcessCommandLine has_cs "wmic" or ProcessCommandLine has_cs "Get-WmiObject" or ProcessCommandLine has_cs "Get-CimInstance" or ProcessCommandLine has_cs "Win32_Process" or ProcessCommandLine has_cs "Invoke-WmiMethod" or InitiatingProcessCommandLine has_cs "wmic" or InitiatingProcessCommandLine has_cs "Get-WmiObject" or InitiatingProcessCommandLine has_cs "Get-CimInstance" or InitiatingProcessCommandLine has_cs "Win32_Process" or InitiatingProcessCommandLine has_cs "Invoke-WmiMethod" | extend Who = coalesce(AccountName, InitiatingProcessAccountName) | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, Who | order by TimeGenerated desc | take 500

// Detect WMI-based process enumeration via command-line indicators let wmi_regex = @"\b(wmic|wmic.exe|get-wmiobject|get-ciminstance|get-ciminstance|gwmi|invoke-wmimethod)\b"; union isfuzzy=true ( DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend sourceTable = "DeviceProcessEvents" ), ( DeviceEvents | where ActionType has "Process" or ActionType has "Create" or ActionType has "ProcessCreated" | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend sourceTable = "DeviceEvents" ) | extend cmd_l = tolower(cmd) | where cmd_l matches regex wmi_regex or cmd_l contains "win32_process" or cmd_l contains "select * from" or cmd_l contains "/node:" or cmd_l contains "/namespace:" or cmd_l contains "-class win32_process" or cmd_l contains "-query" or cmd_l contains "process list" | project TimeGenerated, ProcessCreationTime = coalesce(ProcessCreationTime, InitiatingProcessCreationTime, TimeGenerated), DeviceName, FileName, ProcessId, InitiatingProcessId, AccountName, InitiatingProcessAccountName, cmd, sourceTable, ReportId | sort by ProcessCreationTime desc | take 500

DeviceProcessEvents | where ( tolower(coalesce(ProcessCommandLine, "")) has "wmic" or tolower(coalesce(ProcessCommandLine, "")) has "get-wmiobject" or tolower(coalesce(ProcessCommandLine, "")) has "gwmi" or tolower(coalesce(ProcessCommandLine, "")) has "get-ciminstance" or tolower(coalesce(ProcessCommandLine, "")) has "invoke-wmimethod" or tolower(coalesce(ProcessCommandLine, "")) has "win32_process" or tolower(coalesce(FileName, "")) has "wmic" ) | extend DetectedUtility = case( tolower(coalesce(FileName, "")) has "wmic" or tolower(coalesce(ProcessCommandLine, "")) has "wmic", "wmic.exe", tolower(ProcessCommandLine) has "get-wmiobject" or tolower(ProcessCommandLine) has "gwmi" or tolower(ProcessCommandLine) has "invoke-wmimethod" or tolower(ProcessCommandLine) has "win32_process", "powershell (Get-WmiObject/gwmi)", tolower(ProcessCommandLine) has "get-ciminstance" or tolower(ProcessCommandLine) has "ciminstance", "powershell (Get-CimInstance)", "unknown" ) | project Timestamp, DeviceName, AccountName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, DetectedUtility, ReportId | order by ProcessCreationTime desc | take 100

DeviceProcessEvents | where ProcessCommandLine has 'wmic' and ProcessCommandLine has 'process' and (ProcessCommandLine has 'list' or ProcessCommandLine has 'get') | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessAccountName | summarize Count=count() by InitiatingProcessFileName, ProcessCommandLine, DeviceName, InitiatingProcessAccountName, Timestamp | order by Timestamp desc | take 100

DeviceProcessEvents | where ProcessCommandLine has 'wmic process' or ProcessCommandLine has 'Get-WmiObject Win32_Process' | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType in~ ("CreateProcess", "ProcessCreated") | where isnotempty(ProcessCommandLine) | where tolower(ProcessCommandLine) has_any ("wmic", "get-wmiobject", "get-ciminstance", "win32_process", "gwmi") | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "wmic.exe" or ProcessCommandLine has_any ("wmic process", "Get-WmiObject", "Get-CimInstance", "win32_process") | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents // Time range will be injected by the calling function | where ActionType == "ProcessCreated" // ---- Hunt for WMI-based process enumeration --------------------------------- | where ( // Native WMIC utility explicitly targeting processes (tolower(FileName) == "wmic.exe" and ProcessCommandLine has "process") // Generic command-lines that contain both "wmic" and "process" or (ProcessCommandLine has "wmic" and ProcessCommandLine has "process") // PowerShell WMI/CIM cmdlets interrogating Win32_Process or (tolower(FileName) in ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Get-CimInstance") and ProcessCommandLine has "Win32_Process") // Impacket / other WMIC wrappers or (tolower(FileName) == "wmiexec.exe") ) // ----------------------------------------------------------------------------- | extend Utility = tolower(FileName) | summarize Executions = count(), Devices = dcount(DeviceId), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleCmds = make_list(ProcessCommandLine, 5) by Utility | order by Executions desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) and (ProcessCommandLine contains "wmic" or InitiatingProcessCommandLine contains "wmic") | project TimeGenerated, DeviceName, AccountName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "process" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" and ( ProcessCommandLine has_cs "wmic" or ProcessCommandLine has_cs "Get-WmiObject" or ProcessCommandLine has_cs "gwmi" ) | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ParentProcess = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, ProcessFileName = FileName, ProcessCommandLine | order by TimeGenerated desc