Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("Get-Process", "debugger", "windbg", "ollydbg", "x64dbg", "ida", "process") // Added "process" as a more general term | distinct InitiatingProcessFileName, InitiatingProcessCommandLine | project InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName has "powershell" | where ProcessCommandLine has_any ("debugger", "debug", "attach") | project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated | sort by TimeGenerated desc

let pattern = @"(?i)(isdebuggerpresent|isdebuggerpresent\(\)|debugger(attached)?|checkdebugger|ntqueryinformationprocess|debugactiveprocess|enumeratedebuggers|get-process|get-module|get-childitem|get-wmiobject|get-ciminstance|\-executionpolicy\s*bypass|\-noprofile)"; // Search DeviceProcessEvents and DeviceEvents for PowerShell commands that mention debugger-related keywords ( DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d))..now()) | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "") | where tolower(CmdLine) has_any ("powershell","pwsh","powershell.exe","powershell_ise") | where CmdLine matches regex pattern | project TimeGenerated, DeviceName, Table = "DeviceProcessEvents", ProcessId, ProcessFileName = FileName, ProcessCommandLine = CmdLine, InitiatingProcessFileName, InitiatingProcessId ) | union ( DeviceEvents | where TimeGenerated between (startofday(ago(7d))..now()) | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "") | where tolower(CmdLine) has_any ("powershell","pwsh","powershell.exe","powershell_ise") | where CmdLine matches regex pattern | project TimeGenerated, DeviceName, Table = "DeviceEvents", ProcessId, ProcessFileName = FileName, ProcessCommandLine = CmdLine, InitiatingProcessFileName, InitiatingProcessId ) | summarize Hits = count(), AnyProcessCommandLine = any(ProcessCommandLine), AnyInitiatingProcessCommandLine = any(InitiatingProcessFileName) by DeviceName, InitiatingProcessFileName, InitiatingProcessId, ProcessFileName, ProcessId | order by Hits desc | take 50

let indicators = dynamic(["isdebuggerpresent","checkremotedebuggerpresent","get-process","get-module","windbg","x64dbg","olly","ida","ida64","cheatengine","frida","dbg","debugger"]); union DeviceProcessEvents, DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | where (tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell") | where ( (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has_any (indicators)) or (isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) has_any (indicators)) ) | project TimeGenerated, DeviceName, ProcessFileName = FileName, ProcessCommandLine, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ProcessFileName, ProcessCommandLine | order by Count desc | top 50 by Count

// Find PowerShell executions that check for debugger/processes and show which tool/process initiated them let suspiciousPS = DeviceProcessEvents | where FileName has_cs "powershell" or ProcessCommandLine has_cs "powershell" // look for common debugger-check keywords in the command line | where ProcessCommandLine has_any ("Get-Process", "-Name Debug", "Debugger", "Get-WmiObject", "Get-CimInstance", "IsDebuggerPresent", "-match 'debug'", "Where-Object", "Get-ItemProperty" , "-and $_.Debugger", "Wow64" ) | project TimeGenerated, DeviceId, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain ; // Also search DeviceEvents for PowerShell actions with suspicious command lines (fallback) let ev = DeviceEvents | where FileName has_cs "powershell" or ProcessCommandLine has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" or InitiatingProcessCommandLine has_cs "powershell" | where ProcessCommandLine has_any ("Get-Process", "Debugger", "Get-WmiObject", "Get-CimInstance", "IsDebuggerPresent", "Where-Object", "-match 'debug'", "-Name Debug") | project TimeGenerated, DeviceId, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain ; // Union and show initiating process details (tool that carried out the check) union suspiciousPS, ev | where isnotempty(InitiatingProcessFileName) or isnotempty(InitiatingProcessCommandLine) | extend Initiator = coalesce(InitiatingProcessFileName, tostring(split(InitiatingProcessCommandLine, ' ')[0])) | summarize count() , any(InitiatingProcessAccountName), any(InitiatingProcessAccountDomain), any(InitiatingProcessId), any(InitiatingProcessCommandLine) by Initiator, DeviceName, DeviceId | order by count_ desc | take 50

DeviceProcessEvents | where FileName in ("powershell.exe","pwsh.exe") | where isnotempty(InitiatingProcessFileName) | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine | summarize by InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName | order by DeviceName asc | take 50

DeviceProcessEvents | where TimeGenerated > ago(7d) | where InitiatingProcessFileName contains 'powershell' | where ProcessCommandLine contains 'debugger' | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName | order by Timestamp desc

DeviceProcessEvents | where InitiatingProcessFileName =~ "powershell.exe" | project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc | take 10

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("debugger", "Get-Process", "windbg", "debug") | project TimeGenerated, DeviceName, DeviceId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessVersionInfoCompanyName | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "powershell_ise.exe", "pwsh.exe") | where ProcessCommandLine has_any ("debug", "debugger") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

let debugger_keywords = dynamic(["dbg","debug","windbg","x32dbg","x64dbg","ollydbg","ida","dnSpy","devenv","vsjitdebugger","gflags"]); DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") // PowerShell commands that try to find debugger processes | where ProcessCommandLine has_any (debugger_keywords) or ProcessCommandLine matches regex @"(?i)Get-Process.*dbg" or ProcessCommandLine matches regex @"(?i)tasklist.*dbg" | project TimeGenerated, DeviceName, PowerShellCommand = ProcessCommandLine, InitiatingTool = InitiatingProcessFileName, InitiatingToolPath = InitiatingProcessFolderPath, InitiatingToolCmd = InitiatingProcessCommandLine | summarize FirstSeen=min(TimeGenerated), LastSeen = max(TimeGenerated), Executions=count() by DeviceName, InitiatingTool, InitiatingToolPath, InitiatingToolCmd | order by Executions desc

union withsource=EventSource DeviceProcessEvents, DeviceEvents | where FileName =~ "powershell.exe" | extend PS_CmdLine = tolower(tostring(ProcessCommandLine)), Init_CmdLine = tolower(tostring(InitiatingProcessCommandLine)) // Look for mentions of debug in either the PowerShell process or its initiator's command line | where PS_CmdLine contains "debug" or Init_CmdLine contains "debug" // Summarize by the initiating process name, which is the tool that launched PowerShell | summarize EventCount = count() by InitiatingProcessFileName, EventSource | order by EventCount desc

// 1) Find PowerShell instances invoking debugger checks let psDebugChecks = DeviceProcessEvents | where FileName == "powershell.exe" // look for debugger‐related keywords in the PS command line | where ProcessCommandLine has_any ("Debugger", "-Debug", "Test-ProcessDebugger") | project TimeGenerated, DeviceName, PsProcessId = ProcessId, ParentProcessId = InitiatingProcessParentId, PsCommandLine = ProcessCommandLine; // 2) Lookup parent process details let parentInfo = DeviceProcessEvents | project ParentProcessId = ProcessId, ParentFileName = FileName, ParentCommandLine = ProcessCommandLine; // 3) Join and summarize unique parent tools psDebugChecks | join kind=leftouter parentInfo on ParentProcessId | project TimeGenerated, DeviceName, ParentFileName, ParentCommandLine, PsCommandLine | distinct ParentFileName, ParentCommandLine | order by ParentFileName