Question Analysis

DeviceProcessEvents | where InitiatingProcessFileName =~ "powershell.exe" or FileName =~ "powershell.exe" | where ProcessCommandLine has "Set-Date" or InitiatingProcessCommandLine has "Set-Date" | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend ExtractedValue = extract(@'Set-Date.*?(-?\d+(\.\d+)?)', 1, CommandLine) | where isnotempty(ExtractedValue) | project Timestamp, DeviceName, CommandLine, ExtractedValue

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("set-date", "Set-Date", "date ", "time ", "w32tm", "/set", "-date") | extend SlippedValue = extract(@'(-?\d{1,5})', 1, ProcessCommandLine) | where isnotempty(SlippedValue) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, SlippedValue | order by TimeGenerated desc

DeviceProcessEvents | where FileName contains "powershell" and (ProcessCommandLine contains "date" or ProcessCommandLine contains "Set-Date" or ProcessCommandLine contains "system clock") | project DeviceName, InitiatingProcessAccountName, TimeGenerated, ProcessCommandLine, AdditionalFields | extend NumericValue = extract(@"(\d+)", 1, ProcessCommandLine) | summarize by NumericValue, ProcessCommandLine, DeviceName, InitiatingProcessAccountName, TimeGenerated | where isnotempty(NumericValue)

DeviceProcessEvents | where ProcessCommandLine contains 'Set-Date' or ProcessCommandLine contains 'set-date' // Filter for suspicious activities involving system clock adjustments | project TimeGenerated, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId | extend CommandLineLower = tolower(ProcessCommandLine) | where CommandLineLower contains 'set-date' // Attempt to extract the date value used | extend SlipValue = extract(@'([+-]?\d+\b)', 1, ProcessCommandLine) | project TimeGenerated, ProcessCommandLine, SlipValue

DeviceProcessEvents | where InitiatingProcessFileName == "powershell.exe" | where InitiatingProcessCommandLine has_any ("Set-Date", "Adjust", "SystemTime") | extend NumericValue = extract("\\d+", 0, InitiatingProcessCommandLine) | project DeviceId, DeviceName, InitiatingProcessCommandLine, NumericValue, TimeGenerated

let suspicious_ps = union isfuzzy=true ( DeviceProcessEvents | where tolower(FileName) in ("powershell.exe","pwsh.exe","powershell_ise.exe") | extend Text = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) ), ( DeviceEvents | where ActionType has "PowerShell" | extend Text = coalesce(tostring(AdditionalFields.ScriptBlockText), tostring(AdditionalFields.Command), tostring(AdditionalFields.ScriptLine), ProcessCommandLine, InitiatingProcessCommandLine) ); suspicious_ps | where Text has_any ("set-date","adddays","addhours","addminutes","addseconds","-adjust") | extend OffsetFromAdd = extract(@"(?i)Add(?:Days|Hours|Minutes|Seconds|Months)\s*\(\s*(-?\d+)\s*\)", 1, Text), UnitFromAdd = extract(@"(?i)Add(Days|Hours|Minutes|Seconds|Months)", 1, Text), DaysAdj = extract(@"(?i)-Days\s+(-?\d+)", 1, Text), HoursAdj = extract(@"(?i)-Hours\s+(-?\d+)", 1, Text), MinutesAdj = extract(@"(?i)-Minutes\s+(-?\d+)", 1, Text), SecondsAdj = extract(@"(?i)-Seconds\s+(-?\d+)", 1, Text) | extend SlipValue = toint(coalesce(OffsetFromAdd, DaysAdj, HoursAdj, MinutesAdj, SecondsAdj)), SlipUnit = coalesce(UnitFromAdd, iff(isnotempty(DaysAdj), "Days", ""), iff(isnotempty(HoursAdj), "Hours", ""), iff(isnotempty(MinutesAdj), "Minutes", ""), iff(isnotempty(SecondsAdj), "Seconds", "")) | where isnotempty(SlipValue) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, CommandText = Text, SlipUnit, SlipValue | order by TimeGenerated desc | summarize LatestTime = arg_max(TimeGenerated, *) by DeviceName, SlipUnit, SlipValue | order by LatestTime desc

union isfuzzy=true DeviceProcessEvents, DeviceEvents | extend Cmd = strcat(tostring(ProcessCommandLine), " ", tostring(InitiatingProcessCommandLine), " ", tostring(AdditionalFields)) | where tolower(Cmd) contains "powershell" or tolower(Cmd) contains "pwsh" | where tolower(Cmd) contains "set-date" or tolower(Cmd) contains "-date" or tolower(Cmd) contains "adddays" or tolower(Cmd) contains "addmonths" or tolower(Cmd) contains "addyears" or tolower(Cmd) contains "-adjust" or tolower(Cmd) contains "w32tm" or tolower(Cmd) contains "setlocaltime" | extend Numbers = extract_all(@"(-?\d+(?:\.\d+)?)", Cmd) | where array_length(Numbers) > 0 | mv-expand Numbers to typeof(string) | extend NumericValue = todouble(Numbers) | summarize Count = count(), LastSeen = max(TimeGenerated), SampleCommand = any(Cmd) by DeviceName, NumericValue | order by LastSeen desc | project LastSeen, DeviceName, NumericValue, Count, SampleCommand

let ps_processes = DeviceProcessEvents | where (ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh") | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where cmd has_any ("Set-Date","Get-Date","AddDays","AddHours","AddMonths","-Adjust") | extend cmd_str = tostring(cmd) // capture numbers used directly in AddDays/AddHours/AddMonths(...) calls | extend addvals = extract_all(@"(?:AddDays|AddHours|AddMonths)\(\s*([-+]?\d+(?:\.\d+)?)", cmd_str) | mv-expand addvals to typeof(string) | extend number = toreal(addvals) | where isnotnull(number) | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine = cmd_str, number; let ps_deviceevents = DeviceEvents | where (ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh") | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields)) | where isnotempty(cmd) and (cmd has_any ("Set-Date","Get-Date","AddDays","AddHours","AddMonths","-Adjust")) | extend cmd_str = tostring(cmd) | extend addvals = extract_all(@"(?:AddDays|AddHours|AddMonths)\(\s*([-+]?\d+(?:\.\d+)?)", cmd_str) | mv-expand addvals to typeof(string) | extend number = toreal(addvals) | where isnotnull(number) | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine = cmd_str, number; ps_processes | union ps_deviceevents | summarize Count = count(), Examples = make_list(pack_all(), 10) by number | order by Count desc | project number, Count, ExampleEvent = Examples[0]

let ps_clock_adjustments = DeviceProcessEvents | where (tolower(InitiatingProcessFileName) endswith "powershell.exe" or tolower(InitiatingProcessCommandLine) contains "powershell") | extend CmdLine = tostring(InitiatingProcessCommandLine) | extend CmdLower = tolower(CmdLine) | where CmdLower contains "set-date" or CmdLower contains "get-date" or CmdLower contains "addhours" or CmdLower contains "addminutes" or CmdLower contains "adddays" or CmdLower contains "addseconds" | extend Hours = todouble(extract(@"addhours\(([-+]?\d+)\)", 1, CmdLower)) | extend Minutes = todouble(extract(@"addminutes\(([-+]?\d+)\)", 1, CmdLower)) | extend Seconds = todouble(extract(@"addseconds\(([-+]?\d+)\)", 1, CmdLower)) | extend Days = todouble(extract(@"adddays\(([-+]?\d+)\)", 1, CmdLower)) | extend DeltaValue = coalesce(Hours, Minutes, Seconds, Days, 0.0) | where DeltaValue != 0.0 | extend Unit = case(isnotnull(Hours), "Hours", isnotnull(Minutes), "Minutes", isnotnull(Seconds), "Seconds", isnotnull(Days), "Days", "Unknown") | project TimeGenerated, DeviceName, InitiatingProcessId, InitiatingProcessCommandLine, DeltaValue, Unit ; ps_clock_adjustments | sort by TimeGenerated desc | take 20

DeviceProcessEvents | where TimeGenerated > ago(7d) | where InitiatingProcessFileName =~ 'powershell.exe' or InitiatingProcessFileName =~ 'pwsh.exe' | where ProcessCommandLine has_any ('Set-Date', 'date', 'time', 'clock') | extend NumericValue = extract('[-+]?[0-9]+', 0, ProcessCommandLine) | where isnotempty(NumericValue) | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, NumericValue | order by Timestamp desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessFileName in~ ("powershell.exe", "powershell_ise.exe", "pwsh.exe") or InitiatingProcessCommandLine contains "powershell" | where ProcessCommandLine has_any ("Set-Date", "AddDays", "AddHours", "AddMinutes", "AddSeconds", "AddMonths", "AddYears") | parse kind=regex ProcessCommandLine with ".*Add(?:Days|Hours|Minutes|Seconds|Months|Years)\\(" numericValue:long "\\).*" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, numericValue | order by TimeGenerated desc

union ( DeviceProcessEvents | where ActionType =~ "ProcessCreated" | where FileName =~ "powershell.exe" // Search for commands explicitly adjusting time using Set-Date -Adjust | where ProcessCommandLine has_all ("Set-Date", "-Adjust") | extend SlippedValue = extract(@"-[Aa]djust\s+([^\s]+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, DeviceName, SlippedValue, ProcessCommandLine ), ( DeviceProcessEvents | where ActionType =~ "ProcessCreated" | where FileName =~ "powershell.exe" // Search for calls to time-additive methods like AddDays, AddHours, etc. | where ProcessCommandLine matches regex @"Add(?:Seconds|Minutes|Hours|Days)\([^\)]*\)" | extend SlippedValue = extract(@"Add(?:Seconds|Minutes|Hours|Days)\(([^\)]+)\)", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, DeviceName, SlippedValue, ProcessCommandLine ) | order by TimeGenerated desc

// Suspicious PowerShell – find the numeric delta used to move the system clock // Time range is controlled by the workbook / hunting page let TimeWindow = 14d; // <- overwritten by caller – placeholder // 1. Pull PowerShell executions that are likely to modify time or timezone let PS_TimeCmds = DeviceProcessEvents | where TimeGenerated between (ago(TimeWindow) .. now()) | where FileName =~ "powershell.exe" // Common ways to tamper with time from PowerShell // – Set-Date – (Get-Date).Add* – w32tm /config … – net time … – tzutil … | where ProcessCommandLine has_any ("Set-Date", "AddDays(", "AddHours(", "AddMinutes(", "AddSeconds(", "w32tm", "net time", "tzutil") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine; // 2. Extract the numeric value that represents the amount of time the clock is shifted. // We try several patterns that attackers use. The first one that matches wins. PS_TimeCmds | extend ShiftValue = extract(@"Add(?:Days|Hours|Minutes|Seconds)\(([-]?\d+)\)", 1, ProcessCommandLine) // (Get-Date).AddDays(5) | extend ShiftValue = iff(isnull(ShiftValue) or ShiftValue=="", extract(@"-Adjust\s+([+-]?\d+)", 1, ProcessCommandLine), ShiftValue) // w32tm /config /update /manualpeerlist:"…" -Adjust 300 | extend ShiftValue = iff(isnull(ShiftValue) or ShiftValue=="", extract(@"Set-Date.*?-Date.*?([+-]?\d{1,4})", 1, ProcessCommandLine), ShiftValue) // Set-Date -Date "(Get-Date).AddHours(-2)" | extend ShiftValue = iff(isnull(ShiftValue) or ShiftValue=="", extract(@"net\s+time.*?([+-]?\d{1,4})", 1, ProcessCommandLine), ShiftValue) // 3. Show unique values + supporting evidence | where ShiftValue != "" and ShiftValue != "-" and isnotnull(ShiftValue) | summarize Events = count() by tostring(ShiftValue) | order by Events desc

DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "Set-Date" | extend directDateNumber = extract(@"-Date\s+([+-]?\d+)", 1, ProcessCommandLine), addMethodNumber = extract(@"Add(?:Days|Hours|Minutes|Seconds)\(([+-]?\d+)\)", 1, ProcessCommandLine) | extend slipValue = coalesce(directDateNumber, addMethodNumber) | where isnotempty(slipValue) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, slipValue, ProcessCommandLine

DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine has_any ("AddDays(", "Set-Date") | extend SlipValueRaw = extract(@"\.AddDays\(\s*([+-]?\d+)\s*\)", 1, ProcessCommandLine) | extend SlipValue = toint(SlipValueRaw) | where isnotempty(SlipValue) | project TimeGenerated, DeviceName, Account = InitiatingProcessAccountName, ProcessCommandLine, SlipValue | sort by TimeGenerated asc