Question Analysis

DeviceFileEvents | where InitiatingProcessFileName =~ "powershell.exe" | where FileName endswith ".zip" | where FolderPath contains "temp" or FolderPath contains @"AppData\Local\Temp" | distinct FileName

DeviceFileEvents | where ActionType == 'FileCreated' | where InitiatingProcessCommandLine contains 'PowerShell' and FolderPath contains 'temp' and FileName endswith '.zip' | project FileName

DeviceFileEvents | where ActionType == 'FileCreated' and FileName has '.zip' and FolderPath has 'temp' and InitiatingProcessFileName == 'powershell.exe' | project DeviceName, FileName, FolderPath, InitiatingProcessCommandLine

DeviceFileEvents | where ActionType =~ 'FileCreated' | where FileName endswith '.zip' | where FolderPath contains 'temp' | where InitiatingProcessFileName =~ 'powershell.exe' | project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessFileName =~ "powershell.exe" | where ProcessCommandLine has_any ("zip", "archive", "compress", "7zip", "tar", "compress-archive") | where ProcessCommandLine has_any ("temp", "tmp", "AppData", "Chrome", "Edge", "Firefox", "Credentials", "Passwords") | extend ZipFileName = extract(@"[\\/]?([\w\-. ]+\.zip)", 1, ProcessCommandLine) | where isnotempty(ZipFileName) | project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, ZipFileName | order by TimeGenerated desc | distinct ZipFileName

DeviceFileEvents | where ActionType == "FileCreated" and InitiatingProcessCommandLine contains "powershell" | where FileName endswith ".zip" | project FileName

let browserCredFileNames = dynamic(["Login Data","Web Data","Cookies","Local State","History","Favicons","Cookies.sqlite","key4.db","logins.json"]); // common browser credential store files let pwsh_staging = DeviceFileEvents | where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") | where ActionType in ("FileCreated","FileRenamed") | where FolderPath has_any ("\\AppData\\Local\\Temp\\","\\Windows\\Temp\\","\\Temp\\","\\TMP\\") | where FileName has_any (browserCredFileNames) | project DeviceId, DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, StageTime=TimeGenerated, TempFolder=FolderPath, StagedFile=FileName; let candidates = pwsh_staging | summarize StagedCount=dcount(StagedFile), FirstStage=min(StageTime), LastStage=max(StageTime), any(TempFolder) by DeviceId, DeviceName, InitiatingProcessId, InitiatingProcessCreationTime | where StagedCount >= 2; // ensure multiple browser credential files were staged DeviceFileEvents | where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") | where ActionType in ("FileCreated","FileRenamed") | where FileName endswith ".zip" | where FolderPath has_any ("\\AppData\\Local\\Temp\\","\\Windows\\Temp\\","\\Temp\\","\\TMP\\") | project DeviceId, DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, ZipTime=TimeGenerated, ZipFolderPath=FolderPath, ZipFileName=FileName | join kind=innerunique (candidates) on DeviceId, DeviceName, InitiatingProcessId, InitiatingProcessCreationTime | where ZipTime >= FirstStage and ZipTime <= LastStage + 4h | project Time=ZipTime, DeviceName, ZipFileName, ZipFolderPath | order by Time desc

union DeviceFileEvents, DeviceEvents, DeviceProcessEvents | extend Cmd = tolower(coalesce(InitiatingProcessCommandLine, ProcessCommandLine, tostring(AdditionalFields.CommandLine), "")) | extend InitiProc = tolower(coalesce(InitiatingProcessFileName, FileName, "")) | extend ObservedPath = strcat(tolower(coalesce(FolderPath, "")), " ", tolower(coalesce(FileName, PreviousFileName, ""))) // Filter for PowerShell as the creator/initiator | where Cmd contains "powershell" or InitiProc contains "powershell" // Only consider records that reference or created ZIPs | where Cmd contains ".zip" or ObservedPath contains ".zip" // Limit to activity likely targeting browser credentials/profiles | where Cmd has_any ("login data","cookies","web data","chrome","edge","firefox","key4.db","logins.json","profile","user data") // Try to extract a .zip filename from the command line or observed path | extend CmdZip = extract("([A-Za-z0-9_\\-\\.]+\\.zip)", 1, Cmd) | extend ObservedZip = extract("([A-Za-z0-9_\\-\\.]+\\.zip)", 1, ObservedPath) | extend ZipFileName = tostring(coalesce(CmdZip, ObservedZip, FileName)) | where isnotempty(ZipFileName) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ZipFileName, ZipPath = coalesce(CmdZip, ObservedZip), DeviceName, InitiatingProcessAccountName, InitiProc | order by LastSeen desc | project ZipFileName, ZipPath, Count, DeviceName, InitiatingProcessAccountName, InitiProc, FirstSeen, LastSeen

// Find PowerShell processes that reference browser credential files and temp folders and/or use archive commands let browserIndicators = dynamic(["login data","logindata","logins.json","key4.db","cookies","web data","local state","chrome","chromium","edge","firefox","login-","logins","logins-backup","Login Data","LoginData","logins.json"]); let tempIndicators = dynamic(["%temp%","$env:temp","\\temp\\","\\AppData\\Local\\Temp","\\Local Settings\\Temp","/tmp/","/temp/"]); let archiveExtPattern = @"([\\w\- \\\.]+\\.(zip|7z|rar|tar|gz))"; // Candidate PowerShell process events let procCandidates = DeviceProcessEvents | where ( tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" or tolower(InitiatingProcessFileName) has_any ("powershell.exe","pwsh.exe") or tolower(InitiatingProcessCommandLine) contains "powershell" ) // include typical copy/archive verbs or indicators of zipping | where ProcessCommandLine has_any ("compress-archive","Compress-Archive","Copy-Item","copy-item","Move-Item","move-item","xcopy","robocopy","7z","zip.exe","tar","Expand-Archive","Add-Type","System.IO.Compression","New-Object","Ionic.Zip","Out-File","Set-Content") // require references to either temp paths or browser credential files | where (ProcessCommandLine has_any (tempIndicators) or ProcessCommandLine has_any (browserIndicators)) | extend ProcTime = TimeGenerated | project ProcTime, DeviceName, AccountName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName ; // Archive file events written to temp locations let fileArchives = DeviceFileEvents | where FolderPath has_any (tempIndicators) or FileName has_any (".zip",".7z",".rar",".tar",".gz") | where FileName endswith ".zip" or FileName endswith ".7z" or FileName endswith ".rar" or FileName endswith ".tar" or FileName endswith ".gz" | extend ArchiveTime = Timestamp | project ArchiveTime, DeviceName, ArchiveFile = FileName, ArchiveFolder = FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, RequestAccountName ; // Correlate processes and file archive events on the same device within a 10-minute window procCandidates | join kind=leftouter (fileArchives) on DeviceName | where isnotempty(ArchiveTime) and abs(datetime_diff('second', ProcTime, ArchiveTime)) <= 600 // ensure PowerShell is initiating or present in the related commandline | where tolower(coalesce(InitiatingProcessFileName, "")) contains "powershell" or tolower(coalesce(InitiatingProcessCommandLine, "")) contains "powershell" or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" | extend ExtractedFromCmd = extract(archiveExtPattern, 1, ProcessCommandLine) | extend ArchiveFileName = tostring(coalesce(ArchiveFile, ExtractedFromCmd)) | where isnotempty(ArchiveFileName) | project DeviceName, Account = coalesce(AccountName, RequestAccountName, InitiatingProcessAccountName), ProcTime, ProcessCommandLine, ArchiveTime, ArchiveFileName, ArchiveFolder, InitiatingProcessFileName, InitiatingProcessCommandLine | summarize arg_max(ArchiveTime, *) by DeviceName, ArchiveFileName | order by ArchiveTime desc | take 200 // Fallback: direct file events where PowerShell is the initiator writing an archive into temp | union ( DeviceFileEvents | where FolderPath has_any (tempIndicators) | where FileName endswith ".zip" or FileName endswith ".7z" or FileName endswith ".rar" or FileName endswith ".tar" or FileName endswith ".gz" | where tolower(InitiatingProcessFileName) has_any ("powershell.exe","pwsh.exe") or tolower(InitiatingProcessCommandLine) contains "powershell" | extend ArchiveTime = Timestamp, ArchiveFileName = FileName | project DeviceName, Account = RequestAccountName, ProcTime = ArchiveTime, ProcessCommandLine = InitiatingProcessCommandLine, ArchiveTime, ArchiveFileName, ArchiveFolder = FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine ) | summarize arg_max(ArchiveTime, *) by DeviceName, ArchiveFileName | order by ArchiveTime desc | take 200

let _timeRange = 7d; DeviceFileEvents | where TimeGenerated >= ago(_timeRange) | where tolower(FileName) endswith ".zip" | where FolderPath contains "Temp" | where tolower(InitiatingProcessCommandLine) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "pwsh" or tolower(InitiatingProcessCommandLine) contains "compress-archive" | extend ZipPath = strcat(FolderPath, FileName) | project TimeGenerated, ZipPath, FolderPath, FileName, InitiatingProcessCommandLine | sort by TimeGenerated desc | take 1

DeviceFileEvents | where InitiatingProcessFileName has_any ("powershell.exe","pwsh.exe","pwsh") or InitiatingProcessCommandLine has_any ("powershell","pwsh") | where tolower(FolderPath) contains "temp" or tolower(FolderPath) contains "tmp" | extend ZipNameLower = tolower(FileName) | where ZipNameLower endswith ".zip" | extend ZipPath = strcat(FolderPath, "\\", FileName) | project TimeGenerated, DeviceName, InitiatingProcessFileName, ZipName = FileName, ZipPath, FolderPath, FileName | distinct ZipPath, ZipName

DeviceFileEvents | where TimeGenerated > ago(7d) | where InitiatingProcessFileName =~ 'powershell.exe' | where ActionType == 'FileCreated' | where FileName endswith '.zip' | where FolderPath contains 'temp' or FolderPath contains 'tmp' | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine | order by Timestamp desc

DeviceFileEvents | where InitiatingProcessFileName == "powershell.exe" | where ActionType == "FileCreated" | where FolderPath contains "Temp" | where FileName endswith ".zip" | project FileName, FolderPath, Timestamp | summarize arg_max(Timestamp, *) by FileName

DeviceFileEvents | where ActionType == "FileCreated" | where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessCommandLine has "powershell" | where FileName endswith ".zip" | project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceFileEvents | where InitiatingProcessFileName =~ "powershell.exe" | where ActionType == "FileCreated" | where FolderPath contains "temp" | where FileName endswith ".zip" | project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain | order by TimeGenerated desc

// PowerShell created a ZIP archive in a Temp folder – find the ZIP name DeviceFileEvents | where ActionType == "FileCreated" // new file on disk | where FileName endswith ".zip" // archive file | where FolderPath has "Temp" // typically %TEMP% or AppData\Local\Temp | where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe") // created by PowerShell // optional extra assurance that it was a Compress-Archive operation //| where InitiatingProcessCommandLine contains "Compress-Archive" or InitiatingProcessCommandLine contains "Add-Type" | project TimeGenerated, DeviceName, ZipFileName = FileName, ZipFolderPath = FolderPath, FullZipPath = strcat(FolderPath, "\\", FileName), InitiatingProcessCommandLine | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Events = count() by DeviceName, FullZipPath, ZipFileName, InitiatingProcessCommandLine | sort by LastSeen desc // If you only want the single most recent ZIP across the estate, take the first row: //| take 1

DeviceFileEvents | where FileName endswith ".zip" | where tolower(FolderPath) contains "temp" | where tolower(InitiatingProcessFileName) == "powershell.exe" | project TimeGenerated, FileName, FolderPath, InitiatingProcessCommandLine | order by TimeGenerated desc

// First, capture PowerShell processes that ran Compress-Archive targeting a .zip let psCompress = DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine has "Compress-Archive" | where ProcessCommandLine contains ".zip" | project DeviceId, InitiatingProcessId = ProcessId; // Then find the matching file events for .zip files created by those PowerShell processes DeviceFileEvents | where InitiatingProcessFileName == "powershell.exe" | where FileName endswith ".zip" | join kind=inner psCompress on DeviceId, InitiatingProcessId | distinct FileName | project ZipFileName = FileName