Question Analysis

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ActionType == "ProcessCreated" | where ProcessCommandLine matches regex @"\btime\b" | project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine

DeviceProcessEvents | where FileName in ("w32tm.exe", "time.exe") | project DeviceName, ProcessCommandLine, ProcessCreationTime | order by ProcessCreationTime desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where FileName =~ "time.exe" or FileName =~ "w32tm.exe" or ProcessCommandLine matches regex @"\b(time|time\.exe|w32tm|w32tm\.exe)\b" | extend Command = trim("\"' ", ProcessCommandLine) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, Command | order by LastSeen desc

DeviceProcessEvents | where FileName has_cs "time" or ProcessCommandLine has_cs "time" or ProcessCommandLine has_cs "get-date" or ProcessCommandLine has_cs "w32tm" | extend FileNameLower = tolower(FileName), Cmd = tostring(ProcessCommandLine) | where FileNameLower in ("time.exe","time") or Cmd has_cs " time " or Cmd startswith_cs "time" or Cmd contains "/c time" or Cmd has_cs "get-date" or Cmd has_cs "w32tm" | project TimeGenerated, DeviceName, AccountName, AccountDomain, ProcessId, InitiatingProcessFileName, InitiatingProcessId, FileName, ProcessCommandLine | order by TimeGenerated desc | distinct DeviceName, TimeGenerated, ProcessId, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessId | limit 100

DeviceProcessEvents | where (InitiatingProcessFileName has_cs "cmd.exe" and (ProcessCommandLine has_cs "time" or InitiatingProcessCommandLine has_cs "time")) or (FileName has_cs "time.exe" or FileName has_cs "time" or (ProcessCommandLine has_cs "time")) | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend TimeArg = extract(@"(?i)time(?:\\.exe)?\\s*(.*)", 1, CmdLine) | extend DetectedTimeRun = strcat("time", iff(isempty(TimeArg), "", strcat(" ", TimeArg))) | project TimeGenerated = ProcessCreationTime, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, CmdLine, DetectedTimeRun | sort by TimeGenerated desc

let TimeWindow = 1d; DeviceProcessEvents | where TimeGenerated >= ago(TimeWindow) | where (tolower(FileName) endswith "time.exe" or tolower(FileName) endswith "time" or tolower(ProcessCommandLine) contains "time" or tolower(InitiatingProcessCommandLine) contains "time") | extend IsCmdLauncher = (tolower(InitiatingProcessFileName) endswith "cmd.exe" or tolower(InitiatingProcessFileName) endswith "cmd") | extend RunType = case( tolower(FileName) endswith "time.exe", "time.exe external", IsCmdLauncher and (tolower(ProcessCommandLine) contains "time" or tolower(InitiatingProcessCommandLine) contains "time"), "cmd built-in time", IsCmdLauncher, "cmd built-in time", "other" ) | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RunType | summarize arg_max(TimeGenerated, *) by DeviceName | sort by TimeGenerated desc

DeviceProcessEvents | where FileName has 'time' or ProcessCommandLine has 'time' | project DeviceName, ProcessCommandLine, FileName, ProcessCreationTime, FolderPath | top 100 by ProcessCreationTime desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has_any ("time") | project DeviceName, ProcessCommandLine, Timestamp | order by Timestamp desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("cmd.exe", "powershell.exe") | where tolower(ProcessCommandLine) has "time" | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName, AccountDomain | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "cmd.exe" or FileName =~ "powershell.exe" or FileName =~ "time.exe" | where ProcessCommandLine has "time" | project TimeGenerated, DeviceName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, AccountName, AccountDomain, SHA1, MD5

DeviceProcessEvents | where ActionType == "ProcessCreated" // --- direct execution of the utility --- | where FileName =~ "time.exe" or (FileName =~ "cmd.exe" and tolower(ProcessCommandLine) matches regex @"/c\s+time(\s+/t)?\b") | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where tolower(FileName) == "time.exe" or (tolower(ProcessCommandLine) has "time" and tolower(FolderPath) contains "system32") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | order by TimeGenerated desc