In a Windows log analytics workspace, search for PowerShell processes that were used to enumerate network connections. Determine which PowerShell cmdlet was executed to list active TCP connections.

DeviceProcessEvents | where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" | where ProcessCommandLine contains "Get-NetTCPConnection" or ProcessCommandLine contains "netstat" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine has 'Get-NetTCPConnection'

DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine contains 'Get-NetTCPConnection' or ProcessCommandLine contains 'netstat' | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetTCPConn") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | extend ExecutedCmdlet = case(ProcessCommandLine has "Get-NetTCPConnection", "Get-NetTCPConnection", ProcessCommandLine has "Get-NetTCPConn", "Get-NetTCPConn", ProcessCommandLine has "netstat", "netstat", "Unknown")

DeviceProcessEvents | where ProcessCommandLine has "powershell" | where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetConnectionProfile", "Get-NetUDPEndpoint") | summarize Count = count(), SampleCommands = make_list(ProcessCommandLine, 10) by InitiatingProcessAccountName, DeviceName, FileName | order by Count desc

DeviceProcessEvents | where FileName in ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine contains 'Get-NetTCPConnection' | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId | order by Timestamp desc

let psh_from_deviceevents = DeviceEvents | where ActionType in ("PowerShellCommand", "PowerShellScriptBlockLogging") | extend ScriptText = tostring(iff(ActionType == "PowerShellScriptBlockLogging", AdditionalFields.ScriptBlockText, coalesce(AdditionalFields.Command, AdditionalFields.ScriptContent, AdditionalFields.CommandLine))) | extend CommandName = tostring(AdditionalFields.CommandName) | where CommandName =~ "Get-NetTCPConnection" or ScriptText has "Get-NetTCPConnection" | extend Cmdlet = iif(isnotempty(CommandName), CommandName, extract(@"(?i)\b(Get-NetTCPConnection)\b", 1, ScriptText)) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet, CommandText=coalesce(ScriptText, InitiatingProcessCommandLine); let psh_from_processevents = DeviceProcessEvents | where (InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") or FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe")) | where ProcessCommandLine has "Get-NetTCPConnection" | extend Cmdlet = extract(@"(?i)\b(Get-NetTCPConnection)\b", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet, CommandText=ProcessCommandLine; union isfuzzy=true psh_from_deviceevents, psh_from_processevents | extend ExecutingAccount = coalesce(AccountName, InitiatingProcessAccountName) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExecCount=count(), SampleCommand=any(CommandText) by DeviceId, DeviceName, ExecutingAccount, Cmdlet | extend StateFilter = extract(@"(?i)-State\s+([A-Za-z,]+)", 1, SampleCommand) | order by LastSeen desc

// PowerShell processes used to enumerate network connections DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe' or ProcessCommandLine has 'powershell' or ProcessCommandLine has 'pwsh' // Look for common cmdlets and commands used to list TCP connections | where ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "Get-NetTCPStatistics", "Get-NetAdapter", "netstat", "ss -t", "Get-NetConnectionProfile", "Get-NetIPConnection") | extend MatchedCommand = case( ProcessCommandLine has "Get-NetTCPConnection", "Get-NetTCPConnection", ProcessCommandLine has "netstat", "netstat", ProcessCommandLine has "ss -t", "ss -t", ProcessCommandLine has "Get-NetUDPEndpoint", "Get-NetUDPEndpoint", ProcessCommandLine has "Get-NetTCPStatistics", "Get-NetTCPStatistics", ProcessCommandLine has "Get-NetConnectionProfile", "Get-NetConnectionProfile", ProcessCommandLine has "Get-NetIPConnection", "Get-NetIPConnection", "other") | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, AccountName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine | order by LastSeen desc, Count desc | project FirstSeen, LastSeen, Count, DeviceName, AccountName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine

let powershellNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let networkIndicators = dynamic(["Get-NetTCPConnection","Get-NetUDPEndpoint","Get-NetTCPStatistics","Get-NetIPStatistics","Get-NetIPAddress","Get-NetConnectionProfile","Get-NetTCPInfo","netstat","Get-NetTCP*","Get-Net*Connection","Get-Net*TCP","Get-Net*UDP"]); // Helper: search DeviceProcessEvents (and DeviceEvents) for PowerShell and likely network enumeration commands union isfuzzy=true ( DeviceProcessEvents | where FileName in (powershellNames) or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" | extend CommandLine = tostring(ProcessCommandLine), EventSource = "DeviceProcessEvents", Time = TimeGenerated ), ( DeviceEvents | where FileName in (powershellNames) or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), EventSource = "DeviceEvents", Time = TimeGenerated ) | where isnotempty(CommandLine) // Focus on command lines that contain likely network enumeration indicators | where CommandLine matches regex @"(?i)\b(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStatistics|Get-NetIPStatistics|Get-NetIPAddress|Get-NetConnectionProfile|Get-NetTCPInfo|netstat)\b" | extend Matched = extract(@"(?i)\b(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStatistics|Get-NetIPStatistics|Get-NetIPAddress|Get-NetConnectionProfile|Get-NetTCPInfo|netstat)\b", 1, CommandLine) // Normalize common variations | extend Matched = case(tolower(Matched)=="netstat","netstat", tostring(Matched)) | extend Matched = iif(isempty(Matched), "unknown", Matched) | project Time, DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, AccountName, AccountDomain, CommandLine, Matched, EventSource | summarize Count = count(), SampleCommandLine = any(CommandLine), ExampleTime = min(Time) by Matched, DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, AccountName, AccountDomain | order by Count desc | take 100

// Find PowerShell processes that enumerated network connections union isfuzzy=true DeviceEvents , DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // Filter for PowerShell process executables or PowerShell in command line | where (FileName has_cs "powershell" or FileName has_cs "pwsh" or ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or InitiatingProcessFileName has_cs "powershell" or InitiatingProcessFileName has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh") // Look for network enumeration cmdlets or tools commonly used | where ProcessCommandLine has_cs "Get-NetTCPConnection" or ProcessCommandLine has_cs "Get-NetUDPEndpoint" or ProcessCommandLine has_cs "Get-NetTCPStatistics" or ProcessCommandLine has_cs "Get-NetUDPEndpoint" or ProcessCommandLine has_cs "netstat" or ProcessCommandLine has_cs "Get-NetTCP" or InitiatingProcessCommandLine has_cs "Get-NetTCPConnection" or InitiatingProcessCommandLine has_cs "Get-NetUDPEndpoint" or InitiatingProcessCommandLine has_cs "Get-NetTCPStatistics" or InitiatingProcessCommandLine has_cs "netstat" or InitiatingProcessCommandLine has_cs "Get-NetTCP" // Extract the cmdlet/tool name | extend Cmdlet = case( ProcessCommandLine has_cs "Get-NetTCPConnection" or InitiatingProcessCommandLine has_cs "Get-NetTCPConnection", "Get-NetTCPConnection", ProcessCommandLine has_cs "Get-NetUDPEndpoint" or InitiatingProcessCommandLine has_cs "Get-NetUDPEndpoint", "Get-NetUDPEndpoint", ProcessCommandLine has_cs "Get-NetTCPStatistics" or InitiatingProcessCommandLine has_cs "Get-NetTCPStatistics", "Get-NetTCPStatistics", ProcessCommandLine has_cs "netstat" or InitiatingProcessCommandLine has_cs "netstat", "netstat", ProcessCommandLine has_cs "Get-NetTCP", "Get-NetTCP", "other") | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, Cmdlet, ReportId, TenantId | summarize Count = count(), Samples = make_list(pack('TimeGenerated', TimeGenerated, 'DeviceName', DeviceName, 'ProcessId', ProcessId, 'ProcessCommandLine', ProcessCommandLine, 'InitiatingProcessId', InitiatingProcessId, 'InitiatingProcessCommandLine', InitiatingProcessCommandLine), 5) by Cmdlet | order by Count desc

DeviceProcessEvents | where FileName contains "powershell.exe" or InitiatingProcessFileName contains "powershell.exe" | where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp") or InitiatingProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp") | project DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp | order by Timestamp desc

DeviceProcessEvents | where FileName =~ 'powershell.exe' | where ProcessCommandLine contains 'Get-NetTCPConnection' or ProcessCommandLine contains 'netstat' | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" or FileName =~ "powershell_ise.exe" | where ProcessCommandLine has "Get-NetTCPConnection" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "Get-NetTCPConnection" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

// Find PowerShell processes that enumerated network connections (e.g. active TCP) // Time range is controlled by the portal (TimeGenerated) let PowerShellHosts = dynamic(["powershell.exe","powershell_ise.exe","pwsh.exe","pwsh"]); let NetEnumerationCmdlets = dynamic(["Get-NetTCPConnection","Get-NetUDPEndpoint","Get-NetIPConnection","netstat"]); DeviceProcessEvents | where FileName in~ (PowerShellHosts) // limit to PowerShell hosts (case-insensitive) | where ProcessCommandLine has_any(NetEnumerationCmdlets) // command-line contains one of the enumeration cmdlets | extend CmdletExecuted = tostring(extract(@"(?i)(get-nettcpconnection|get-netudpendpoint|get-netipconnection|netstat)",0,ProcessCommandLine)) | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessId, CmdletExecuted, ProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessId | sort by TimeGenerated desc

DeviceProcessEvents | where tolower(InitiatingProcessFileName) has "powershell" | where tolower(InitiatingProcessCommandLine) has "nettcpconnection" | extend PS_Cmdlet = extract(@"(Get-[^\s]+)", 1, InitiatingProcessCommandLine) | where isnotempty(PS_Cmdlet) | summarize Count = count() by PS_Cmdlet | order by Count desc

union DeviceProcessEvents, DeviceEvents | where (FileName =~ "powershell.exe" or InitiatingProcessFileName =~ "powershell.exe") | where InitiatingProcessCommandLine has "Get-NetTCPConnection" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessId | summarize Occurrences=count() by DeviceName, InitiatingProcessCommandLine | order by Occurrences desc

DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine contains "Get-NetTCPConnection" | extend Cmdlet = extract(@"(Get-NetTCPConnection)", 1, ProcessCommandLine) | summarize Count = count() by Cmdlet | order by Count desc

DeviceProcessEvents | where FileName endswith "powershell.exe" | where ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "Get-NetTCPStats", "netstat") | extend Cmdlet = extract(@"(?i)(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStats|netstat)\b", 1, ProcessCommandLine) | summarize Count = count() by Cmdlet | order by Count desc