Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where (FileName =~ "pnputil.exe" and (ProcessCommandLine has "add-driver" or ProcessCommandLine has "install")) or (FileName =~ "devcon.exe" and ProcessCommandLine has "install") or (ProcessCommandLine has "install" and ProcessCommandLine has "driver") | project Timestamp, DeviceName, FileName, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine contains '/install' or ProcessCommandLine contains '/driver' | where FileName has_any ('setup', 'install', 'update') | project FileName, ProcessCommandLine | distinct FileName

DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | where ProcessCommandLine has_any ('install', 'driver', 'install-driver', 'installdriver') or InitiatingProcessCommandLine has_any ('install', 'driver', 'install-driver', 'installdriver') or FileName has_any ('install', 'driver') | summarize count() by FileName | sort by count_ desc

DeviceProcessEvents | where ProcessCommandLine contains 'install-driver' or ProcessCommandLine contains 'install drivers' or ProcessCommandLine contains 'driver' | project InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCreationTime | order by InitiatingProcessCreationTime desc

let driverPattern = @"(?i)\b(install-?driver|install[_ ]driver|/install\b|-install\b|--install\b|createservice|sc\.exe|pnputil|devcon|drvinst|setupapi|add-?driver|adddriver)\b"; union ( DeviceProcessEvents | where isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex driverPattern | project TimeGenerated, DeviceName, ToolFile = FileName, ProcessId, ProcessCreationTime, CommandLine = ProcessCommandLine, Initiator = coalesce(InitiatingProcessFileName, InitiatingProcessParentFileName), InitiatorCommandLine = InitiatingProcessCommandLine ), ( DeviceEvents | where isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex driverPattern | project TimeGenerated, DeviceName, ToolFile = FileName, ProcessId, ProcessCreationTime, CommandLine = ProcessCommandLine, Initiator = coalesce(InitiatingProcessFileName, InitiatingProcessParentFileName), InitiatorCommandLine = InitiatingProcessCommandLine ), ( DeviceFileEvents | where isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex driverPattern | project TimeGenerated, DeviceName, ToolFile = coalesce(InitiatingProcessFileName, InitiatingProcessParentFileName), ProcessId = InitiatingProcessId, ProcessCreationTime = InitiatingProcessCreationTime, CommandLine = InitiatingProcessCommandLine, Initiator = coalesce(InitiatingProcessFileName, InitiatingProcessParentFileName), InitiatorCommandLine = InitiatingProcessCommandLine ) | extend MatchedToken = extract(driverPattern, 1, CommandLine) | summarize Count = count(), LastSeen = max(TimeGenerated), ExampleCommandLine = any(CommandLine), Devices = make_set(DeviceName, 10), Initiators = make_set(Initiator, 10) by ToolFile | where isnotempty(ToolFile) | order by LastSeen desc | take 50

// Look for processes that include driver-install related switches or known driver-install utilities let suspicious_terms = dynamic(["install-driver","install driver","/install-driver","/install","-install","pnputil","devcon","sc.exe","sc ","driverinstall","install-driver.exe","/add-driver","/install-driver /file","-install-driver","/add"]); // Search DeviceProcessEvents and DeviceEvents for matching command lines let procEvents = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where tolower(ProcessCommandLine) has_any (suspicious_terms) | extend ToolName = iff(isnotempty(FileName) and FileName != "", tostring(FileName), tostring(split(trim('"', ProcessCommandLine), ' ')[0])) | extend ToolName = extract(@"([^\\/]+\\.exe)$", 1, ToolName) | project TimeGenerated, SourceTable = "DeviceProcessEvents", DeviceName, AccountName, ProcessId, FileName, ToolName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId = InitiatingProcessId, MD5, SHA1, SHA256; let evEvents = DeviceEvents | where isnotempty(ProcessCommandLine) | where tolower(ProcessCommandLine) has_any (suspicious_terms) | extend ToolName = iff(isnotempty(FileName) and FileName != "", tostring(FileName), tostring(split(trim('"', ProcessCommandLine), ' ')[0])) | extend ToolName = extract(@"([^\\/]+\\.exe)$", 1, ToolName) | project TimeGenerated, SourceTable = "DeviceEvents", DeviceName, AccountName, ProcessId = ProcessId, FileName, ToolName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId = InitiatingProcessId, MD5, SHA1, SHA256; union isfuzzy=true procEvents, evEvents | where isnotempty(ToolName) or isnotempty(FileName) | extend ToolName = iff(isnotempty(ToolName) and ToolName != "", ToolName, tostring(FileName)) | extend ToolName = tostring(ToolName) | summarize Hits = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ToolName, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, MD5, SHA1, SHA256 | order by LastSeen desc | project ToolName, Hits, FirstSeen, LastSeen, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, MD5, SHA1, SHA256

// Search for processes that include 'install-driver' or similar driver install switches in their command lines let keywords = dynamic(["install-driver","install_driver","--install-driver","/install-driver","-install-driver","/i","-i","--install"]); // DeviceProcessEvents has richer process fields; also include DeviceEvents to catch other records union isfuzzy=true DeviceProcessEvents, DeviceEvents | where TimeGenerated between (startofday(ago(14d)) .. now()) | where ProcessCommandLine has_any (keywords) or InitiatingProcessCommandLine has_any (keywords) or ProcessCommandLine has "installdriver" or InitiatingProcessCommandLine has "installdriver" | extend ToolFile = coalesce(FileName, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoOriginalFileName) | extend CommandLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, AdditionalFields.CommandLine, "")) | project TimeGenerated, DeviceName, ToolFile, CommandLine, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, FolderPath, InitiatingProcessFolderPath, AccountName, InitiatingProcessAccountName, ReportId | summarize count(), any(CommandLine), any(InitiatingProcessFileName), any(InitiatingProcessCommandLine), any(InitiatingProcessId), any(AccountName) by ToolFile, DeviceName | sort by count_ desc | top 50 by count_