Question Analysis

DeviceProcessEvents | where InitiatingProcessFileName =~ "powershell.exe" or FileName =~ "powershell.exe" | where ProcessCommandLine has "Set-Date" or InitiatingProcessCommandLine has "Set-Date" | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend ExtractedValue = extract(@'Set-Date.*?(-?\d+(\.\d+)?)', 1, CommandLine) | where isnotempty(ExtractedValue) | project Timestamp, DeviceName, CommandLine, ExtractedValue

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("set-date", "Set-Date", "date ", "time ", "w32tm", "/set", "-date") | extend SlippedValue = extract(@'(-?\d{1,5})', 1, ProcessCommandLine) | where isnotempty(SlippedValue) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, SlippedValue | order by TimeGenerated desc

DeviceProcessEvents | where FileName contains "powershell" and (ProcessCommandLine contains "date" or ProcessCommandLine contains "Set-Date" or ProcessCommandLine contains "system clock") | project DeviceName, InitiatingProcessAccountName, TimeGenerated, ProcessCommandLine, AdditionalFields | extend NumericValue = extract(@"(\d+)", 1, ProcessCommandLine) | summarize by NumericValue, ProcessCommandLine, DeviceName, InitiatingProcessAccountName, TimeGenerated | where isnotempty(NumericValue)

DeviceProcessEvents | where ProcessCommandLine contains 'Set-Date' or ProcessCommandLine contains 'set-date' // Filter for suspicious activities involving system clock adjustments | project TimeGenerated, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId | extend CommandLineLower = tolower(ProcessCommandLine) | where CommandLineLower contains 'set-date' // Attempt to extract the date value used | extend SlipValue = extract(@'([+-]?\d+\b)', 1, ProcessCommandLine) | project TimeGenerated, ProcessCommandLine, SlipValue

DeviceProcessEvents | where InitiatingProcessFileName == "powershell.exe" | where InitiatingProcessCommandLine has_any ("Set-Date", "Adjust", "SystemTime") | extend NumericValue = extract("\\d+", 0, InitiatingProcessCommandLine) | project DeviceId, DeviceName, InitiatingProcessCommandLine, NumericValue, TimeGenerated

DeviceProcessEvents | where TimeGenerated > ago(7d) | where InitiatingProcessFileName =~ 'powershell.exe' or InitiatingProcessFileName =~ 'pwsh.exe' | where ProcessCommandLine has_any ('Set-Date', 'date', 'time', 'clock') | extend NumericValue = extract('[-+]?[0-9]+', 0, ProcessCommandLine) | where isnotempty(NumericValue) | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, NumericValue | order by Timestamp desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessFileName in~ ("powershell.exe", "powershell_ise.exe", "pwsh.exe") or InitiatingProcessCommandLine contains "powershell" | where ProcessCommandLine has_any ("Set-Date", "AddDays", "AddHours", "AddMinutes", "AddSeconds", "AddMonths", "AddYears") | parse kind=regex ProcessCommandLine with ".*Add(?:Days|Hours|Minutes|Seconds|Months|Years)\\(" numericValue:long "\\).*" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, numericValue | order by TimeGenerated desc

union ( DeviceProcessEvents | where ActionType =~ "ProcessCreated" | where FileName =~ "powershell.exe" // Search for commands explicitly adjusting time using Set-Date -Adjust | where ProcessCommandLine has_all ("Set-Date", "-Adjust") | extend SlippedValue = extract(@"-[Aa]djust\s+([^\s]+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, DeviceName, SlippedValue, ProcessCommandLine ), ( DeviceProcessEvents | where ActionType =~ "ProcessCreated" | where FileName =~ "powershell.exe" // Search for calls to time-additive methods like AddDays, AddHours, etc. | where ProcessCommandLine matches regex @"Add(?:Seconds|Minutes|Hours|Days)\([^\)]*\)" | extend SlippedValue = extract(@"Add(?:Seconds|Minutes|Hours|Days)\(([^\)]+)\)", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, DeviceName, SlippedValue, ProcessCommandLine ) | order by TimeGenerated desc

DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "Set-Date" | extend directDateNumber = extract(@"-Date\s+([+-]?\d+)", 1, ProcessCommandLine), addMethodNumber = extract(@"Add(?:Days|Hours|Minutes|Seconds)\(([+-]?\d+)\)", 1, ProcessCommandLine) | extend slipValue = coalesce(directDateNumber, addMethodNumber) | where isnotempty(slipValue) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, slipValue, ProcessCommandLine

DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine has_any ("AddDays(", "Set-Date") | extend SlipValueRaw = extract(@"\.AddDays\(\s*([+-]?\d+)\s*\)", 1, ProcessCommandLine) | extend SlipValue = toint(SlipValueRaw) | where isnotempty(SlipValue) | project TimeGenerated, DeviceName, Account = InitiatingProcessAccountName, ProcessCommandLine, SlipValue | sort by TimeGenerated asc