Question Analysis

DeviceProcessEvents | where FileName == "powershell.exe" | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "Get-Process" | distinct ProcessCommandLine

DeviceProcessEvents | where ActionType == 'ProcessCreated' and ProcessCommandLine contains 'Get-Process'

DeviceProcessEvents | where FileName == 'powershell.exe' and (ProcessCommandLine contains 'Get-Process' or ProcessCommandLine contains 'ps') | project DeviceId, DeviceName, ProcessCommandLine, TimeGenerated | limit 50

DeviceProcessEvents | where FileName in~ ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine has_any ("Get-Process", "gps", "ps ") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("Get-Process", "Get-CimInstance", "Get-WmiObject", "Get-Process -Name", "Get-Process |", "Get-CimInstance Win32_Process", "Get-WmiObject Win32_Process") | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | summarize count() by ProcessCommandLine | top 10 by count_ desc

DeviceProcessEvents | where ProcessCommandLine contains "powershell" or FileName endswith ".exe" | where ProcessCommandLine contains "Get-Process" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc | take 10

DeviceProcessEvents | where InitiatingProcessCommandLine contains "powershell" and InitiatingProcessCommandLine contains "Get-Process" | project DeviceId, DeviceName, InitiatingProcessCommandLine, TimeGenerated

let process_cmdlet_pattern = @"(?i)\b(get-process|get-wmiobject|get-ciminstance|get-ciminstance|gwmi|gcim|gps|ps)\b"; union isfuzzy=true ( DeviceEvents | where ActionType has "PowerShell" | extend CmdText = tostring(coalesce(AdditionalFields.Command, AdditionalFields.ScriptLine, AdditionalFields.ScriptBlockText, AdditionalFields.ScriptContent, AdditionalFields.Message, AdditionalFields.Content, AdditionalFields.AmsiContent)) | where isnotempty(CmdText) | where CmdText matches regex process_cmdlet_pattern or CmdText has_cs "Win32_Process" | extend ExecutedToken = tostring(extract(process_cmdlet_pattern, 1, CmdText)) | extend CanonicalCmdlet = case( tolower(ExecutedToken) in ("gps","ps"), "Get-Process", tolower(ExecutedToken) in ("gwmi","get-wmiobject"), "Get-WmiObject", tolower(ExecutedToken) in ("gcim","get-ciminstance","get-ciminstance"), "Get-CimInstance", tolower(ExecutedToken) == "get-process", "Get-Process", ExecutedToken) | project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, ActionType, Source = "PowerShellEvent", ExecutedToken, CanonicalCmdlet, CmdText ), ( DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") | where isnotempty(ProcessCommandLine) | where ProcessCommandLine matches regex process_cmdlet_pattern or ProcessCommandLine has_cs "Win32_Process" | extend CmdText = ProcessCommandLine | extend ExecutedToken = tostring(extract(process_cmdlet_pattern, 1, CmdText)) | extend CanonicalCmdlet = case( tolower(ExecutedToken) in ("gps","ps"), "Get-Process", tolower(ExecutedToken) in ("gwmi","get-wmiobject"), "Get-WmiObject", tolower(ExecutedToken) in ("gcim","get-ciminstance","get-ciminstance"), "Get-CimInstance", tolower(ExecutedToken) == "get-process", "Get-Process", ExecutedToken) | project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, ActionType, Source = "ProcessCreate", ExecutedToken, CanonicalCmdlet, CmdText ) | where isnotempty(ExecutedToken) | order by TimeGenerated desc

let CmdletRegex = @"(?i)\b((?:get-process|get-wmiobject|get-ciminstance|gwmi|tasklist(?:\.exe)?|\bGet-Process\b|\bGet-WmiObject\b|\bGet-CimInstance\b|\bgwmi\b|\btasklist\b|\bwin32_process\b)[^;|&\r\n]*)"; union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields.CommandLine), tostring(AdditionalFields.commandline), tostring(AdditionalFields.CommandLineText)) | where isnotempty(CmdLine) and CmdLine has_cs "powershell" | where CmdLine matches regex CmdletRegex | extend MatchedCmd = extract(CmdletRegex, 1, CmdLine) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExampleCmd = any(MatchedCmd), ExampleFullCmd = any(CmdLine) by DeviceName, AccountName, FileName, ProcessId, ReportId | sort by LastSeen desc | project FirstSeen, LastSeen, Count, DeviceName, AccountName, FileName, ProcessId, ReportId, ExampleCmd, ExampleFullCmd | take 1000

// Find PowerShell invocations that include process listing cmdlets let powershellBinaries = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe","powershell" ,"pwsh"]); let processCmdPatterns = dynamic(["Get-Process","Get-Process\\b","Get-CimInstance\\b","Get-CimInstance","Get-WmiObject\\b","Get-WmiObject","gwmi\\b","gwmi","Get-WmiObject -Class Win32_Process","Get-CimInstance -ClassName Win32_Process","tasklist","Get-Process | Sort-Object","Get-Process -" ]); union isfuzzy=true DeviceEvents, DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // filter for PowerShell executables as the initiating process or file name | where tolower(InitiatingProcessFileName) has_any ("powershell","pwsh") or tolower(FileName) has_any ("powershell","pwsh") or tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" or tolower(InitiatingProcessCommandLine) contains "pwsh" // combine commandline fields | extend cmd = coalesce(InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields.CommandLine, tostring(AdditionalFields.CommandLine)) | where isnotempty(cmd) // search for known process-listing cmdlets/strings | where cmd matches regex @"(?i)\b(Get-Process|Get-CimInstance|Get-WmiObject|gwmi|tasklist)\b" or cmd contains "Win32_Process" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, ProcessId, ProcessCommandLine, cmd, FileName, ActionType | extend MatchedCmdlet = extract(@"(?i)\b(Get-Process|Get-CimInstance|Get-WmiObject|gwmi|tasklist)\b", 1, cmd) | summarize Events = count(), AnyCommandLines = make_set(cmd, 50) by DeviceName, AccountName, MatchedCmdlet | order by Events desc | mv-expand AnyCommandLines | project DeviceName, AccountName, MatchedCmdlet, AnyCommandLines | top 100 by DeviceName

( DeviceEvents | where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" or FileName has_cs "pwsh" or InitiatingProcessFileName has_cs "pwsh" | where ProcessCommandLine has_any ("Get-Process","Get-CimInstance","Get-WmiObject","gwmi","Get-Process","get-process","Get-Process |","ps ","tasklist") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType ) | union ( DeviceProcessEvents | where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" or FileName has_cs "pwsh" or InitiatingProcessFileName has_cs "pwsh" | where ProcessCommandLine has_any ("Get-Process","Get-CimInstance","Get-WmiObject","gwmi","Get-Process","get-process","Get-Process |","ps ","tasklist") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine, ActionType ) | sort by TimeGenerated desc | extend Cmdlet = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Devices = make_set(DeviceName, 10), Accounts = make_set(AccountName, 10), Examples = make_set(Cmdlet, 5) by Cmdlet | project Cmdlet, Count, FirstSeen, LastSeen, Devices, Accounts, Examples | top 50 by LastSeen desc

DeviceProcessEvents | where tolower(InitiatingProcessFileName) contains 'powershell' or tolower(InitiatingProcessFileName) contains 'powershell.exe' | where InitiatingProcessCommandLine contains_cs 'Get-Process' | extend Cmdlet = iff(InitiatingProcessCommandLine contains_cs 'Get-Process', 'Get-Process', '') | where Cmdlet != '' | project TimeGenerated, InitiatingProcessCreationTime, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet

let psExes = dynamic(["powershell.exe","pwsh.exe"]); DeviceProcessEvents | where InitiatingProcessFileName in (psExes) | where isnotempty(InitiatingProcessCommandLine) | where tolower(InitiatingProcessCommandLine) contains "get-process" | extend CmdletDetected = "Get-Process" | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, CmdletDetected

DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' | where InitiatingProcessCommandLine contains 'Get-Process' | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine | order by Timestamp desc

DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' | where ProcessCommandLine contains 'Get-Process' | project ProcessCommandLine, Timestamp | distinct ProcessCommandLine

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where ProcessCommandLine has_any ("Get-Process", "Get-WmiObject", "Get-CimInstance") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where Timestamp >= ago(30d) | where InitiatingProcessCommandLine contains "powershell" or ProcessCommandLine contains "powershell" | where InitiatingProcessCommandLine has "get-process" or ProcessCommandLine has "get-process" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine

// PowerShell process enumeration detection – what exact cmdlet was used? DeviceProcessEvents // 1. Focus on PowerShell hosts | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // 2. Keep only invocations that attempt to list running processes | where ProcessCommandLine has_any ("Get-Process", // standard cmdlet "Get-CimInstance", "Get-WmiObject", "gwmi", // aliases for Get-WmiObject "gps", "ps") // aliases for Get-Process // 3. Extract the first matching process-listing cmdlet / alias | extend CmdletExecuted = tolower(extract(@"(?i)(get-process|get-ciminstance|get-wmiobject|gwmi|gps|ps)", 1, ProcessCommandLine)) // 4. Normalise common aliases to their canonical cmdlet names | extend CmdletExecuted = case(CmdletExecuted == "ps" or CmdletExecuted == "gps", "get-process", CmdletExecuted == "gwmi", "get-wmiobject", CmdletExecuted) // 5. Return context so the analyst can validate the finding | project TimeGenerated, DeviceName, AccountName, CmdletExecuted, ProcessCommandLine, FolderPath, ProcessId, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has "Get-Process" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine contains "Get-Process" or ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "tasklist" | extend Cmdlet = extract(@"(?i)\b(Get-(?:Process|WmiObject|CimInstance))\b", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, Cmdlet, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine has_any ("Get-Process", "gps") | extend ScriptBlockText = tostring(AdditionalFields.ScriptBlockText) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ScriptBlockText | order by TimeGenerated desc