Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "-EncodedCommand" or (strlen(ProcessCommandLine) > 500 and FileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")) | distinct FileName

DeviceProcessEvents | where ActionType == "ProcessCreated" | where strlen(ProcessCommandLine) > 300 or ProcessCommandLine matches regex @"[A-Za-z0-9]{30,}" or ProcessCommandLine has_any ("Invoke", "Reflection", "Decode", "exec", "forEach", "Base64", "FromBase64String") or ProcessCommandLine matches regex @"[\^%$\+#\{\}\[\];\|]{8,}" | summarize Count = count() by FileName, DeviceName | top 20 by Count desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) // look for typical patterns of obfuscation indicating dynamic code execution | where ProcessCommandLine matches regex @"(base64|invoke-expression|iex|char\(|\[string\]|\+{2,}|\$[a-zA-Z0-9_]+\s*=|frombase64string)" | summarize by InitiatingProcessFileName | project InitiatingProcessFileName

let dynamic_tokens = @'(?i)\b(iex|invoke-expression|add-type|scriptblock\s*(?:::|\.)\s*create|(?:system\.)?reflection\.assembly\s*(?:::|\.)\s*load|frombase64string)\b'; let base64_or_obfuscated = @'(?i)(?:-enc(?:odedcommand)?\s+[A-Za-z0-9+/=]{40,}|[A-Za-z0-9+/=]{120,})'; let suspicious_concat = @'(?i)(["'']\s*\+\s*["''])'; let obf_repeat = @'[`^]{3,}'; DeviceProcessEvents | where ActionType == "ProcessCreated" | where isnotempty(ProcessCommandLine) | extend cmd = tostring(ProcessCommandLine) | extend len = strlen(cmd) | extend alnum_len = strlen(replace_regex(cmd, @'[^A-Za-z0-9]', '')) | extend non_ratio = iif(len == 0, 0.0, todouble(len - alnum_len) / todouble(len)) | extend has_dynamic = cmd matches regex dynamic_tokens | extend has_b64 = cmd matches regex base64_or_obfuscated | extend has_concat = cmd matches regex suspicious_concat | extend has_obf_chars = cmd matches regex obf_repeat | extend score = iif(has_dynamic,3,0) + iif(has_b64,3,0) + iif(has_concat,1,0) + iif(has_obf_chars,1,0) + iif(len > 250,1,0) + iif(non_ratio > 0.45,1,0) | where score > 0 | summarize Events=count(), Devices=dcount(DeviceId), LatestTime=max(TimeGenerated), ExampleCommandLine=arg_max(score, cmd) by ProcessName=FileName | order by Events desc, LatestTime desc

union isfuzzy=true DeviceProcessEvents, DeviceEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(CmdLine) // indicators of runtime code construction/obfuscation or dynamic invocation | where CmdLine matches regex @"(?i)(\b(iex|invoke-expression|invokeexpression)\b|frombase64string|frombase64|\[char\]|-join\b|new-object\s+net\.webclient|downloadstring|invoke-webrequest|system\.reflection\.assembly::load|powershell\s+(-encodedcommand|\-e\b|/e\b)|certutil\s+-decode|mshta\b|cmd\.exe\s+/c|add-type|assembly\.load|reflection\.emit|dynamicmethod|createdelegate|ilgenerator|encodedcommand)" | extend ExecutingProcess = coalesce(FileName, InitiatingProcessFileName, tostring(split(trim('"', CmdLine), ' ')[0])) | summarize Occurrences = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ExecutingProcess | where isnotempty(ExecutingProcess) | order by Occurrences desc | top 20 by Occurrences // Also show recent raw samples for triage | union ( union isfuzzy=true DeviceProcessEvents, DeviceEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(CmdLine) | where CmdLine matches regex @"(?i)(\b(iex|invoke-expression|invokeexpression)\b|frombase64string|frombase64|\[char\]|-join\b|new-object\s+net\.webclient|downloadstring|invoke-webrequest|system\.reflection\.assembly::load|powershell\s+(-encodedcommand|\-e\b|/e\b)|certutil\s+-decode|mshta\b|cmd\.exe\s+/c|add-type|assembly\.load|reflection\.emit|dynamicmethod|createdelegate|ilgenerator|encodedcommand)" | extend ExecutingProcess = coalesce(FileName, InitiatingProcessFileName, tostring(split(trim('"', CmdLine), ' ')[0])) | project TimeGenerated, DeviceName, DeviceId, ProcessId, ExecutingProcess, CmdLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId, _ResourceId | order by TimeGenerated desc | take 200 )

let suspiciousPS = tolower("powershell"); DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where tolower(ProcessCommandLine) contains "powershell" and ( tolower(ProcessCommandLine) contains "encodedcommand" or tolower(ProcessCommandLine) contains "base64" or tolower(ProcessCommandLine) contains "iex" or tolower(ProcessCommandLine) contains "invoke-expression" ) | project TimeGenerated, DeviceName, ExecutedProcessName = FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, PayloadCommandLine = ProcessCommandLine | summarize Count = count() by ExecutedProcessName, InitiatingProcessFileName | top 1 by Count desc

DeviceProcessEvents | where ProcessCommandLine != '' | where strlen(ProcessCommandLine) > 500 or ProcessCommandLine contains 'Invoke-Expression' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains 'EncodedCommand' | project FileName, ProcessCommandLine, DeviceName, ProcessCreationTime | order by ProcessCreationTime desc | take 50

DeviceProcessEvents | where ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "IEX" | distinct FileName

DeviceProcessEvents | where ProcessCommandLine has_any ("iex", "FromBase64String", "System.Reflection") | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType in~ ("CreateProcess", "ProcessCreated") | where tolower(ProcessCommandLine) has_any ("encodedcommand", "reflection.emit", "invoke-expression", "frombase64string") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath, SHA256 | order by TimeGenerated desc

// 1. Look at process start events DeviceProcessEvents | where ActionType == "ProcessCreated" // 2. Filter for command-lines that show signs of heavy obfuscation or run-time code generation // – long base64 blobs (-enc …) or FromBase64String() // – use of IEX / Invoke-Expression / Add-Type / Reflection // – very long command lines (>200 chars) | extend cmd = tostring(ProcessCommandLine) | where strlen(cmd) > 200 or cmd has "-enc" or cmd has "-encodedcommand" or cmd has "FromBase64String" or cmd has "Invoke-Expression" or cmd has "IEX(" or cmd has "Add-Type" or cmd has "System.Reflection" or cmd matches regex @"[A-Za-z0-9+/]{100,}=" // 3. Return the process name(s) that executed that payload | summarize ExampleCommandLine = any(cmd), Events = count() by FileName | sort by Events desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where strlen(InitiatingProcessCommandLine) > 200 | summarize Count = count() by ProcessName = InitiatingProcessFileName | sort by Count desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "-enc" or ProcessCommandLine has "IEX" | summarize event_count=count() by ProcessName = FileName | sort by event_count desc

DeviceProcessEvents | where ActionType == "ProcessCreated" // Look for common obfuscation and dynamic code invocation patterns | where ProcessCommandLine matches regex @"(?i)\b(IEX|Invoke-Expression|FromBase64String|Add-Type|Reflection|Assembly\.Load)\b" | project TimeGenerated, DeviceName, ProcessName = FileName, ProcessCommandLine | sort by TimeGenerated desc | distinct ProcessName