A Windows system shows a cmd.exe process spawn that appears to have been used for environment discovery. Review the process creation records to identify the exact command the adversary ran to enumerate environment variables.

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "cmd.exe" | where ProcessCommandLine contains "/c set" | project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine

DeviceProcessEvents | where FileName == 'cmd.exe' | where ProcessCommandLine contains 'set' or ProcessCommandLine contains 'env' or ProcessCommandLine contains 'echo' | project DeviceName, DeviceId, ProcessCommandLine, ProcessCreationTime | order by ProcessCreationTime desc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ActionType has_any ("ProcessCreated", "CreateProcess") | where ProcessCommandLine matches regex @"(?i)set(\s|$)" or ProcessCommandLine matches regex @"(?i)echo\s+%[A-Z_]+%" or ProcessCommandLine matches regex @"(?i)for.*%[A-Z_]+%" or ProcessCommandLine matches regex @"%[A-Za-z0-9_]+%" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "cmd.exe" and (ProcessCommandLine has "set" )

DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine has_any ("set ", "echo %", "env") | project DeviceName, ProcessCreationTime, ProcessCommandLine | order by ProcessCreationTime desc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine contains "set" or ProcessCommandLine contains "env" | project ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessId, InitiatingProcessParentFileName, DeviceName, FileName

DeviceProcessEvents | where FileName == "cmd.exe" | where tolower(ProcessCommandLine) contains "set" | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine

let envVarToken = @"(?i)%[A-Z_][A-Z0-9_]*%"; DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "cmd.exe" | extend cmd = tostring(ProcessCommandLine) | where // set listing (no assignment) (cmd matches regex @"(?i)\b(?:/c|/k)?\s*set(\s|$|\|)" and not(cmd matches regex @"(?i)\bset\s+/(?:a|p)\b") and not(cmd matches regex @"(?i)\bset\s+[A-Z_][A-Z0-9_]*\s*=")) or cmd matches regex @"(?i)\bfor\s+/f.*\('set'\)" // for /f ... in ('set') or cmd matches regex @"(?i)\bset\s*\|\s*findstr\b" // set piped to findstr or cmd matches regex strcat(@"(?i)\becho\s+", envVarToken) // echo %VAR% | extend EnumMethod = case( cmd matches regex @"(?i)\bfor\s+/f.*\('set'\)", "for /f in ('set')", cmd matches regex @"(?i)\bset\s*\|\s*findstr\b", "set | findstr", cmd matches regex @"(?i)\becho\s+%[A-Z_][A-Z0-9_]*%", "echo %VAR%", cmd matches regex @"(?i)\bset(\s|$|\|)", "set listing", "unknown") | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine, EnumMethod, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, ProcessId, InitiatingProcessId, LogonId, InitiatingProcessLogonId, MachineGroup | order by TimeGenerated desc

( DeviceProcessEvents | extend SourceTable = "DeviceProcessEvents", CmdLine = tostring(ProcessCommandLine), EventTime = ProcessCreationTime ) | union ( DeviceEvents | extend SourceTable = "DeviceEvents", CmdLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields.CommandLine))), EventTime = coalesce(ProcessCreationTime, TimeGenerated) ) | where tolower(FileName) == "cmd.exe" or tolower(InitiatingProcessFileName) == "cmd.exe" or tolower(CmdLine) contains "cmd.exe" | where isnotempty(CmdLine) // Look for common environment-enumeration commands: 'set', 'setx', or 'echo %VAR%' | where CmdLine matches regex @"(?i)\b(set|setx)\b" or CmdLine matches regex @"(?i)echo\s+%[A-Za-z0-9_]+%" | project EventTime, SourceTable, DeviceName, AccountDomain, AccountName, FileName, ProcessId, CmdLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId | sort by EventTime desc | take 200

DeviceProcessEvents | where (FileName == "cmd.exe" or InitiatingProcessFileName == "cmd.exe" or ProcessCommandLine contains "cmd.exe" or InitiatingProcessCommandLine contains "cmd.exe") | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend CmdLineLC = tolower(CmdLine) | where CmdLineLC contains " set " or CmdLineLC contains " /c set" or CmdLineLC contains " /k set" | project TimeGenerated, DeviceName, DeviceId, CmdLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime | order by TimeGenerated desc

let TimeRange = 24h; DeviceProcessEvents | where tolower(FileName) == "cmd.exe" or tolower(InitiatingProcessFileName) == "cmd.exe" or tolower(ProcessCommandLine) contains "cmd.exe" | where ProcessCreationTime >= ago(TimeRange) | where ProcessCommandLine contains "set" | project TimeCreated = ProcessCreationTime, DeviceName, DeviceId, ProcessId, InitiatingProcessId, CommandLine = ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessCreationTime | sort by TimeCreated desc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine contains "set" or ProcessCommandLine contains "env" or ProcessCommandLine contains "printenv" | project DeviceName, AccountName, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by ProcessCreationTime desc

DeviceProcessEvents | where FileName == 'cmd.exe' | where ProcessCommandLine contains 'set' | project TimeGenerated, DeviceName, ProcessCommandLine, AccountName | order by TimeGenerated desc | limit 100

// --- cmd.exe used for environment variable discovery --------------------------------- DeviceProcessEvents | where ActionType == "ProcessCreated" // new process start | where FileName =~ "cmd.exe" // only CMD shells // -------------------------------------------------------------------- // Identify typical env-var enumeration syntaxes issued from cmd.exe // – "cmd /c set" (dump all variables) // – "set <filter>" (filtered dump) // – "wmic environment get …" (WMIC technique) // – "echo %VAR%" (echo individual variable) // -------------------------------------------------------------------- | where ProcessCommandLine matches regex @"(?i)(/c\s+)?set(\s|$|>|&)|wmic\s+environment|echo\s+%[A-Z0-9_]+%" | project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine, FolderPath, InitiatingProcessParentFileName, InitiatingProcessCommandLine, ReportId, SHA256 | order by TimeGenerated asc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine has "/c set" or ProcessCommandLine has "set" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine contains_cs "set" | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine has "/c set" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ProcessCommandLine | sort by TimeGenerated desc