An endpoint shows a PowerShell process that downloaded and executed a remote script aimed at extracting credentials from the Windows Credential Manager. Review the process creation logs and identify the function name that was invoked to dump the web credentials.

DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("iex", "downloadstring", "iwr", "webclient") | where ProcessCommandLine has_any ("webcredentials", "vaultcmd", "CredentialManager", "VaultCli", "dpapi", "sekurlsa", "::") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine contains 'powershell' | where ProcessCommandLine contains 'Invoke-Expression' or ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'Invoke-RestMethod' | project ProcessCommandLine

DeviceProcessEvents | where FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe' | where ProcessCommandLine has_any('DownloadString', 'WebRequest', 'Invoke-WebRequest', 'Invoke-Expression', 'Net.WebClient', 'IEX', 'Invoke') | where ProcessCommandLine has_any('credentials', 'password', 'secret', 'dump') | project DeviceName, AccountName, ProcessCommandLine, TimeGenerated, FileName, FolderPath | summarize CommandLines = make_set(ProcessCommandLine) by DeviceName, FileName

DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine contains_cs "CredentialManager" or ProcessCommandLine contains_cs "WebCredentials" or ProcessCommandLine contains_cs "dump" or ProcessCommandLine contains_cs "Invoke-WebRequest" or InitiatingProcessCommandLine contains_cs "CredentialManager" or InitiatingProcessCommandLine contains_cs "WebCredentials" or InitiatingProcessCommandLine contains_cs "dump" or InitiatingProcessCommandLine contains_cs "Invoke-WebRequest" | project ProcessCreationTime, DeviceName, ProcessId, InitiatingProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | extend DumpFunction= extract(@"(Get-WebCredentials|Dump-Credentials|Invoke-WebRequest|Invoke-CredentialDump|Get-Credential|Dump-WebCredentials)" , 1, ProcessCommandLine) | where isnotempty(DumpFunction) | order by ProcessCreationTime desc

DeviceProcessEvents | where TimeGenerated >= ago(7d) // Adjust time range as necessary | where FileName in ('powershell.exe', 'pwsh.exe') // Focus on PowerShell processes | where ProcessCommandLine has_any ('Invoke-WebRequest', 'Invoke-RestMethod', 'DownloadString', 'Invoke-Expression') // Commands indicating script download or execution | project ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, DeviceName, InitiatingProcessParentFileName, InitiatingProcessParentId | order by InitiatingProcessCreationTime desc

DeviceProcessEvents | where FileName endswith "powershell.exe" and ProcessCommandLine contains "http" and ProcessCommandLine has_any("Credential", "Dump") | where ActionType == "ProcessCreated" | extend InvokedFunctionName = tostring(parse_json(AdditionalFields).FunctionName) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, InvokedFunctionName | order by TimeGenerated desc

let psh_bins = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let dl_terms = dynamic(["DownloadString","Invoke-WebRequest","Invoke-RestMethod","iwr","irm","curl","wget","Start-BitsTransfer","Net.WebClient","WebClient"]); let exec_terms = dynamic(["iex","Invoke-Expression"]); let func_re = "(?i)\\b((?:Invoke|Get|Dump|Search|Show|Out|New|Set|Export|Read)-?(?:Web|Cred|Credential|Credman|Vault)[A-Za-z]*|DumpCreds|Invoke-WCMDump|Invoke-CredManDump)\\b"; let base = DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ (psh_bins) | project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine; let dec = base | extend EncArg = extract("(?i)(?:^|\\s)(?:-|/)(?:enc|encodedcommand|encoded|e|ec)\\s+['\\\"]?([A-Za-z0-9+/=]{20,})['\\\"]?", 1, ProcessCommandLine) | where isnotempty(EncArg) | extend Decoded = base64_decode_tostring(EncArg) | extend Cmd = strcat(ProcessCommandLine, " ; ", Decoded); let plain = base | where isempty(extract("(?i)(?:^|\\s)(?:-|/)(?:enc|encodedcommand|encoded|e|ec)\\b", 0, ProcessCommandLine)) | extend Cmd = ProcessCommandLine; union dec, plain | extend CmdN = replace_string(Cmd, "`", "") | where (CmdN contains "http" or CmdN contains "https") | where CmdN has_any (dl_terms) and CmdN has_any (exec_terms) | extend Functions = extract_all(func_re, CmdN) | mv-expand Functions | where isnotempty(Functions) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), SampleCmd=any(CmdN) by InvokedFunction=tostring(Functions), DeviceName | order by LastSeen desc

let suspects = DeviceProcessEvents | where Timestamp between (startofday(ago(7d)) .. now()) | where tolower(FileName) has_any ("powershell", "pwsh", "wsmprovhost") | where ProcessCommandLine has_any ("Invoke-Expression", "IEX", "Invoke-WebRequest", "wget", "curl", "DownloadString", "DownloadFile", "Invoke-RestMethod", "-EncodedCommand", "-Command") | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, AdditionalFields; // also include DeviceEvents which may include script blocks or network download details let devEvents = DeviceEvents | where Timestamp between (startofday(ago(7d)) .. now()) | where tolower(FileName) has_any ("powershell", "pwsh", "wsmprovhost") | project Timestamp, DeviceId, DeviceName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, AdditionalFields, RemoteUrl, FileOriginUrl; suspects | union devEvents | extend cmd = tostring(ProcessCommandLine) | extend combined = strcat(cmd, " ", tostring(AdditionalFields), " ", tostring(RemoteUrl), " ", tostring(FileOriginUrl)) // look for likely function names that reference credential manager or web credentials | extend fn_candidates = extract_all(@"(?i)(Get|Dump|Export|Read|Find|Unlock)?-?(Web|WinCred|Credential|Cred|StoredCredential|Vault|CredentialManager|Password|Chrome|Edge|Firefox)[A-Za-z0-9_\-]*", combined) | mv-expand fn_candidates to typeof(string) | where isnotempty(fn_candidates) | summarize count = count(), any_CommandLine = any(cmd), any_InitiatingProcess = any(InitiatingProcessCommandLine), any_AdditionalFields = any(AdditionalFields) by FunctionName = fn_candidates, DeviceId, DeviceName | sort by count desc | take 50

let TimeRange = ago(7d); DeviceProcessEvents | where Timestamp >= TimeRange | where InitiatingProcessFileName =~ "powershell.exe" or FileName =~ "powershell.exe" | where ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Expression" | join kind=leftouter ( DeviceNetworkEvents | where Timestamp >= TimeRange | where RemoteUrl != "" | summarize FirstRemoteUrl = min(RemoteUrl) by DeviceId, InitiatingProcessId, Timestamp ) on DeviceId, InitiatingProcessId | where ProcessCommandLine matches regex @"(?i)(credential|password|dump|extract|get|vault|credman)" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, RemoteUrl=FirstRemoteUrl, ProcessId, InitiatingProcessId | order by Timestamp desc

DeviceProcessEvents | where FileName has "powershell.exe" | where ProcessCommandLine has_any ("Invoke-WebRequest", "IEX", "downloadstring", "credential", "CredEnumerate") | project TimeGenerated, DeviceName, ProcessCommandLine, ProcessId | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(FileName) has "powershell" | where tolower(ProcessCommandLine) has_any ("download", "iwr", "wget", "curl", "invoke-webrequest", "system.net.webclient", "invoke-expression", "iex", "new-object net.webclient", "invoke-restmethod") | where tolower(ProcessCommandLine) contains "vault" or tolower(ProcessCommandLine) contains "cred" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // --- Remote download & execution indicators | where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-RestMethod", "New-Object Net.WebClient", "iwr", "irm", "wget", "curl", "Start-BitsTransfer") // --- Credential-manager related keywords | where ProcessCommandLine has_any ("Vault", "Cred", "Credential", "CredEnumerate", "VaultCmd") // --- Extract name of the function/cmdlet that dumps the web creds | extend FunctionInvoked = iff( ProcessCommandLine matches regex @"\b((Get|Invoke|Set|Remove|New|Import|Export|Clear)-[A-Za-z][A-Za-z0-9]*Cred[A-Za-z0-9]*)\b", extract(@"\b((Get|Invoke|Set|Remove|New|Import|Export|Clear)-[A-Za-z][A-Za-z0-9]*Cred[A-Za-z0-9]*)\b", 1, ProcessCommandLine), iff(ProcessCommandLine has "CredEnumerate", "CredEnumerate", iff(ProcessCommandLine has "VaultCmd", "VaultCmd", ""))) | where isnotempty(FunctionInvoked) | project TimeGenerated, DeviceName, ProcessCommandLine, FunctionInvoked | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), CommandLineSample=any(ProcessCommandLine) by DeviceName, FunctionInvoked | order by LastSeen desc

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("http", "https") // Extract any function name containing 'Dump' (case-insensitive) | extend DumpFunction = extract("(?i)([A-Za-z0-9_]+Dump[A-Za-z0-9_]*)", 1, ProcessCommandLine) | where isnotempty(DumpFunction) | project TimeGenerated, DeviceName, ProcessCommandLine, DumpFunction

DeviceProcessEvents | where FileName == "powershell.exe" // Only include runs that reference a .ps1 script (likely downloaded) | where ProcessCommandLine contains ".ps1" // Look for any Invoke- function call in the parameters | where ProcessCommandLine matches regex @"Invoke-[A-Za-z0-9_]+" // Extract the function name invoked to dump credentials | extend FunctionName = extract(@"Invoke-([A-Za-z0-9_]+)", 1, ProcessCommandLine) | where isnotempty(FunctionName) // Show the key context to identify the credential dumping routine | project TimeGenerated, DeviceName, AccountName, ProcessId, FunctionName, ProcessCommandLine | sort by TimeGenerated desc