Question Analysis

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_all ("CommandLineEventConsumer") and (ProcessCommandLine has "WMI" or ProcessCommandLine has "__EventFilter" or ProcessCommandLine has "event subscription") | extend SubscriptionCommand = extract(@'CommandLine="([^"]+)"', 1, ProcessCommandLine) | extend SubscriptionExecutable = extract(@'([a-zA-Z]:\\[^"\s]+\.exe)', 1, SubscriptionCommand) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, SubscriptionCommand, SubscriptionExecutable | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "Register-WmiEvent" or ProcessCommandLine contains "Register-WmiEventSubscription" or ProcessCommandLine contains "EventFilter" or ProcessCommandLine contains "__EventFilter" or ProcessCommandLine contains "CommandLineEventConsumer" | extend ExecutorCommand = extract(@"(?i)CommandLineEventConsumer" , 0, ProcessCommandLine) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ExecutorCommand | order by TimeGenerated desc

let wmi_keywords = dynamic(["CommandLineEventConsumer","CommandLineTemplate","__FilterToConsumerBinding","__EventFilter","root\\subscription","New-CimInstance","Set-WmiInstance","Register-WmiEvent","wmic"]); let proc_hits = DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe","wmic.exe","mofcomp.exe") | where ProcessCommandLine has_any (wmi_keywords) | extend CommandLineTemplate = coalesce( extract("CommandLineTemplate\\s*=\\s*\"([^\"]+)\"", 1, ProcessCommandLine), extract("CommandLineTemplate\\s*=\\s*'([^']+)'", 1, ProcessCommandLine), extract("-CommandLineTemplate\\s+\"([^\"]+)\"", 1, ProcessCommandLine), extract("-CommandLineTemplate\\s+'([^']+)'", 1, ProcessCommandLine), extract("CommandLineTemplate\\s*[:=]\\s*([^\\s,}]+)", 1, ProcessCommandLine) ) | where isnotempty(CommandLineTemplate) | extend ExecutableSetToRun = coalesce( extract("^\\s*\"([^\"]+?)\"", 1, CommandLineTemplate), extract("^\\s*'([^']+?)'", 1, CommandLineTemplate), extract("^\\s*([^\\s]+)", 1, CommandLineTemplate) ) | extend ConsumerName = coalesce( extract("Name\\s*=\\s*\"([^\"]+)\"", 1, ProcessCommandLine), extract("Name\\s*=\\s*'([^']+)'", 1, ProcessCommandLine), extract("-Name\\s+\"([^\"]+)\"", 1, ProcessCommandLine), extract("-Name\\s+'([^']+)'", 1, ProcessCommandLine) ) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, FileName, FolderPath, ProcessCommandLine, ConsumerName, CommandLineTemplate, ExecutableSetToRun; let script_hits = DeviceEvents | where ActionType startswith "PowerShell" | extend ScriptText = tostring(coalesce(AdditionalFields.ScriptContent, AdditionalFields.ScriptBlockText, AdditionalFields.DecodedCommand, AdditionalFields.Command, AdditionalFields.Content, AdditionalFields.CommandLine, AdditionalFields.Payload)) | where isnotempty(ScriptText) and ScriptText has_any (wmi_keywords) | extend CommandLineTemplate = coalesce( extract("CommandLineTemplate\\s*=\\s*\"([^\"]+)\"", 1, ScriptText), extract("CommandLineTemplate\\s*=\\s*'([^']+)'", 1, ScriptText), extract("-CommandLineTemplate\\s+\"([^\"]+)\"", 1, ScriptText), extract("-CommandLineTemplate\\s+'([^']+)'", 1, ScriptText), extract("CommandLineTemplate\\s*[:=]\\s*([^\\s,}]+)", 1, ScriptText) ) | where isnotempty(CommandLineTemplate) | extend ExecutableSetToRun = coalesce( extract("^\\s*\"([^\"]+?)\"", 1, CommandLineTemplate), extract("^\\s*'([^']+?)'", 1, CommandLineTemplate), extract("^\\s*([^\\s]+)", 1, CommandLineTemplate) ) | extend ConsumerName = coalesce( extract("Name\\s*=\\s*\"([^\"]+)\"", 1, ScriptText), extract("Name\\s*=\\s*'([^']+)'", 1, ScriptText), extract("-Name\\s+\"([^\"]+)\"", 1, ScriptText), extract("-Name\\s+'([^']+)'", 1, ScriptText) ) | project TimeGenerated, DeviceId, DeviceName, AccountName, ActionType, ConsumerName, CommandLineTemplate, ExecutableSetToRun, ScriptText; proc_hits | union isfuzzy=true script_hits | order by TimeGenerated desc

// Known WMI subscription indicators let wmiIndicators = dynamic(["Register-WmiEvent","New-EventFilter","Set-WmiInstance","CommandLineEventConsumer","CommandLineTemplate","FilterToConsumerBinding","__InstanceModificationEvent","__EventConsumer","Bind","Filter","Consumer","FilterToConsumerBinding"]); // Helper to extract executables or scripts from strings let extractExe = (s:string){ // Try full path first, then filename-only coalesce( extract(@"([A-Za-z]:\\[\\\w\-\.\s\\/]+\\?\.(?:exe|ps1|bat|vbs|wsh|cmd|msc|jar))", 1, s), extract(@"([\\\w\-]+\.(?:exe|ps1|bat|vbs|cmd|msi|msc|jar))", 1, s) ) }; // PowerShell process events where PowerShell constructs WMI subscriptions let psProcesses = DeviceProcessEvents | where tolower(FileName) has "powershell" or tolower(InitiatingProcessFileName) has "powershell" | where ProcessCommandLine has_any (wmiIndicators) or InitiatingProcessCommandLine has_any (wmiIndicators) | extend Source = "DeviceProcessEvents", CmdLine = tostring(ProcessCommandLine), InitiatorCmd = tostring(InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, Source, FileName, ProcessId, ProcessCreationTime, CmdLine, InitiatorCmd, InitiatingProcessFileName; // DeviceEvents (process creation) for PowerShell let psCreations = DeviceEvents | where tolower(FileName) has "powershell" or tolower(InitiatingProcessFileName) has "powershell" | where ProcessCommandLine has_any (wmiIndicators) or InitiatingProcessCommandLine has_any (wmiIndicators) | extend Source = "DeviceEvents", CmdLine = tostring(ProcessCommandLine), InitiatorCmd = tostring(InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, Source, FileName, ProcessId, ProcessCreationTime, CmdLine, InitiatorCmd, InitiatingProcessFileName; // Registry writes under WBEM/WMI that create CommandLineTemplate or FilterToConsumerBinding let regWrites = DeviceRegistryEvents | where tostring(RegistryKey) has "WBEM" or tostring(RegistryKey) has "WMI" | where RegistryValueName has_any ("CommandLineTemplate","FilterToConsumerBinding","Consumer") or tostring(RegistryValueData) has_any (wmiIndicators) | extend Source = "DeviceRegistryEvents", CmdLine = tostring(RegistryValueData), InitiatorCmd = tostring(InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, Source, FileName = InitiatingProcessFileName, ProcessId = InitiatingProcessId, ProcessCreationTime = InitiatingProcessCreationTime, CmdLine, InitiatorCmd, RegistryKey, RegistryValueName; // Additional DeviceEvents where AdditionalFields include WMI subscription indicators let otherEvents = DeviceEvents | where tostring(AdditionalFields) has_any (wmiIndicators) | extend Source = "DeviceEvents_AddFields", CmdLine = iff(isnull(ProcessCommandLine) or ProcessCommandLine == "", tostring(AdditionalFields), tostring(ProcessCommandLine)), InitiatorCmd = tostring(InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, Source, FileName, ProcessId, ProcessCreationTime, CmdLine, InitiatorCmd, InitiatingProcessFileName; union psProcesses, psCreations, regWrites, otherEvents | extend FoundExecutable = extractExe(tostring(CmdLine)) | extend FoundExecutable = tostring(FoundExecutable) | where isnotempty(CmdLine) and (FoundExecutable != "" or CmdLine contains "CommandLineEventConsumer" or CmdLine contains "CommandLineTemplate" or RegistryKey contains "WBEM" ) | summarize Occurrences = count(), SampleCmdLines = make_set(CmdLine, 10), SampleInitiators = make_set(InitiatorCmd, 10), Devices = make_set(DeviceName), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by FoundExecutable, Source | where isnotempty(FoundExecutable) or Occurrences > 0 | project FoundExecutable, Occurrences, Devices, Source, FirstSeen, LastSeen, SampleCmdLines, SampleInitiators | top 200 by LastSeen desc

let StartTime = ago(1d); let EndTime = now(); let WmiSubscriptions = DeviceRegistryEvents | where TimeGenerated between (StartTime .. EndTime) | where RegistryKey contains "WBEM" or RegistryKey contains "WMI" or RegistryValueName contains "CommandLineTemplate" or RegistryValueName contains "CommandLine" or RegistryValueData contains "CommandLineTemplate" | project TimeGenerated, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine; let PsInitiators = DeviceProcessEvents | where TimeGenerated between (StartTime .. EndTime) | where InitiatingProcessFileName in ("powershell.exe","pwsh.exe","powershell") or InitiatingProcessCommandLine contains "powershell" | project DeviceId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine; let SubWithInitiator = WmiSubscriptions | join kind=inner (PsInitiators) on DeviceId, InitiatingProcessId | extend SubscriptionCommandLine = tostring(RegistryValueData) | extend ExecutableFromSubscription = extract(@"([A-Za-z]:\\[^\""]+\\.exe)", 1, SubscriptionCommandLine) | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, SubscriptionCommandLine, ExecutableFromSubscription; SubWithInitiator | sort by TimeGenerated desc

DeviceProcessEvents | where FileName has "powershell.exe" and ProcessCommandLine contains "CommandLineEventConsumer" | extend Executable = extract("CommandLineTemplate=[\"']([^\"']+)[\"']", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessCommandLine, Executable | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has "CommandLineEventConsumer" or ProcessCommandLine has "__EventFilter" or ProcessCommandLine has "__FilterToConsumerBinding" | parse kind=regex flags=U ProcessCommandLine with @"CommandLineTemplate\s*=\s*'([^']+)'" CommandLineTemplate | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, CommandLineTemplate

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_any("Register-WMIEvent","CommandLineEventConsumer","__EventConsumer") | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, ProcessCommandLine

union withsource=TableName DeviceProcessEvents, DeviceEvents | where (InitiatingProcessCommandLine has "PowerShell" or ProcessCommandLine has "PowerShell") and (InitiatingProcessCommandLine has "CommandLineEventConsumer" or ProcessCommandLine has "CommandLineEventConsumer") | extend CmdLine = iif(isnotempty(ProcessCommandLine), ProcessCommandLine, InitiatingProcessCommandLine) | extend ExecutableSet = extract("(?i)([\\w]+\\.exe)", 1, CmdLine) | project TimeGenerated, DeviceName, TableName, FileName, CmdLine, ExecutableSet | sort by TimeGenerated desc