Question Analysis

DeviceProcessEvents | where FileName == "w32tm.exe" | where ProcessCommandLine has "stripchart" and ProcessCommandLine has "period" | project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName, AccountDomain

DeviceProcessEvents | where ProcessCommandLine contains 'w32tm' and ProcessCommandLine contains '/stripchart' and ProcessCommandLine contains '/period'

DeviceProcessEvents | where ProcessCommandLine has 'w32tm' and ProcessCommandLine has 'stripchart' and ProcessCommandLine has 'period' | project DeviceName, ProcessCommandLine, ProcessCreationTime, FileName, FolderPath | distinct ProcessCommandLine

DeviceProcessEvents | where FileName =~ "w32tm.exe" | where ProcessCommandLine has "stripchart" and ProcessCommandLine has "period" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

DeviceProcessEvents // Use case-insensitive regex to match W32tm invocations with stripchart and period flags in any order | where ProcessCommandLine matches regex @"(?i)w32tm[\s\S]*stripchart[\s\S]*period" | extend FullW32tmInvocation = tostring(ProcessCommandLine) | project-reorder TimeGenerated, DeviceName, AccountName, FullW32tmInvocation | distinct TimeGenerated, DeviceName, AccountName, FullW32tmInvocation | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains 'w32tm' | where ProcessCommandLine contains 'stripchart' | where ProcessCommandLine contains 'period'

DeviceProcessEvents | where tolower(FileName) in ("w32tm.exe","w32tm") or tolower(ProcessCommandLine) contains "w32tm" | extend cmd = tostring(ProcessCommandLine) | where tolower(cmd) contains "/stripchart" and (tolower(cmd) contains "/period" or tolower(cmd) contains "-period") | extend Period = toint(extract(@"(?i)(?:/|-)period[:=\s]+(\d+)", 1, cmd)) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Devices = dcount(DeviceName) by FullInvocation = cmd, Period | order by Count desc, LastSeen desc

let stripchart_flags = dynamic(["-stripchart","/stripchart","--stripchart"]); let period_flags = dynamic(["-period","/period","--period"]); let contains_any = (s:string, arr:dynamic){ array_length(set_intersection(split(tolower(s), ' '), arr)) > 0 }; union isfuzzy=true (DeviceProcessEvents | extend Cmd = tostring(ProcessCommandLine), Time=TimeGenerated | where isnotempty(Cmd) | where tolower(FileName) contains "w32tm" or tolower(Cmd) contains "w32tm" | where (Cmd has_any ("-stripchart","/stripchart","--stripchart","stripchart")) and (Cmd has_any ("-period","/period","--period","period")) | project Time, DeviceName, FileName, ProcessId, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId, TenantId ), (DeviceEvents | extend Cmd = coalesce(tostring(ProcessCommandLine), tostring(InitiatingProcessCommandLine)), Time=TimeGenerated | where isnotempty(Cmd) | where tolower(FileName) contains "w32tm" or tolower(Cmd) contains "w32tm" | where (Cmd has_any ("-stripchart","/stripchart","--stripchart","stripchart")) and (Cmd has_any ("-period","/period","--period","period")) | project Time, DeviceName, FileName, ProcessId, Cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId, TenantId ) | distinct Cmd, DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId, TenantId, Time | order by Time desc | limit 100

let w32tm_re = @"(?i)\bw32tm(?:\.exe)?\b"; let strip_re = @"(?i)(?:/|-){1,2}stripchart\b"; let period_re = @"(?i)(?:/|-){1,2}period(?:[:\s]*\d+)?\b"; union DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents | extend FullCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(FullCommandLine) | where FullCommandLine matches regex w32tm_re and FullCommandLine matches regex strip_re and FullCommandLine matches regex period_re | extend PeriodValue = extract(@"(?i)(?:/|-){1,2}period(?:[:\s]*(\d+))", 1, FullCommandLine) | extend ComputerTarget = extract(@"(?i)(?:/|-){1,2}computer(?:[:\s]*)([^\s]+)", 1, FullCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessId = coalesce(ProcessId, InitiatingProcessId), InitiatingProcessFileName, InitiatingProcessId, Account = coalesce(AccountName, InitiatingProcessAccountName), FullCommandLine, PeriodValue, ComputerTarget | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), Devices = make_set(DeviceName), Accounts = make_set(Account) by FullCommandLine, PeriodValue, ComputerTarget | top 50 by Count desc | project FullCommandLine, PeriodValue, ComputerTarget, Count, FirstSeen, LastSeen, Devices, Accounts

// Find full w32tm invocations that include stripchart and period flags DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) // Normalize to lowercase for searching | where tolower(cmd) has "w32tm" and (tolower(cmd) has "stripchart" or tolower(cmd) has "/stripchart" or tolower(cmd) has "-stripchart") and (tolower(cmd) has "period" or tolower(cmd) has "/period" or tolower(cmd) has "-period") | project TimeGenerated, DeviceName, FileName, ProcessId, cmd | distinct cmd, DeviceName, FileName, ProcessId, TimeGenerated | order by TimeGenerated desc | take 100

DeviceProcessEvents | where ProcessCommandLine contains "w32tm" and ProcessCommandLine contains "/stripchart" and ProcessCommandLine contains "/period" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName == "w32tm.exe" | where ProcessCommandLine has_all ("/stripchart", "/period") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

DeviceProcessEvents | where FileName =~ "w32tm.exe" | where ProcessCommandLine has "/stripchart" and ProcessCommandLine has "/period" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

// Detect use of "w32tm.exe" with the stripchart sub-command and an explicit polling period DeviceProcessEvents // 1. Quickly zero-in on the Windows Time utility | where FileName =~ "w32tm.exe" or ProcessCommandLine has "w32tm" // 2. Look for the behaviour of interest: stripchart + period flag | where ProcessCommandLine has "stripchart" | where ProcessCommandLine has_any ("/period", "-period") // 3. Return the full command as it appeared together with basic context | summarize firstSeen = min(TimeGenerated), lastSeen = max(TimeGenerated), executions = count() by DeviceName, AccountName, ProcessCommandLine // 4. Most recent/high-volume occurrences first | order by executions desc, lastSeen desc

DeviceProcessEvents | where ProcessCommandLine has "w32tm" and ProcessCommandLine has "stripchart" and ProcessCommandLine has "/period:" | project TimeGenerated, DeviceName, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where tolower(ProcessCommandLine) contains "w32tm" and tolower(ProcessCommandLine) contains "stripchart" and tolower(ProcessCommandLine) contains "/period:" | project TimeGenerated, DeviceName, ProcessCommandLine | distinct ProcessCommandLine, TimeGenerated, DeviceName

DeviceProcessEvents | where FileName == "w32tm.exe" | where ProcessCommandLine has "stripchart" and ProcessCommandLine has "period" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "w32tm.exe" or FileName =~ "w32tm" | where (ProcessCommandLine has "-stripchart" or ProcessCommandLine has "/stripchart") and (ProcessCommandLine has "-period" or ProcessCommandLine has "/period") | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc