Question Analysis

DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine has_any ("Win32_Group", "Get-LocalGroup", "wmic group") | project Timestamp, DeviceName, ProcessCommandLine

DeviceProcessEvents | where FileName has 'powershell.exe' or FileName has 'pwsh.exe' | where ProcessCommandLine has 'Get-WmiObject' and (ProcessCommandLine has 'Win32_Group' or ProcessCommandLine has 'Win32_GroupUser') | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "powershell") | where ProcessCommandLine has_any ("Get-WmiObject Win32_Group", "gwmi win32_group", "wmic group", "Get-CimInstance Win32_Group", "Get-WmiObject -Class Win32_Group") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

DeviceProcessEvents | where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessCommandLine matches regex "(?i)\bps\b" | where ProcessCommandLine has "get-wmiobject" and ProcessCommandLine has "win32_group" | extend Account = tostring(split(AccountName,'@',0)[0]),AccountDomain = tostring(split(AccountName,'@',1)[0]) | where Account != "NT AUTHORITY" and Account != "Window Manager" and Account != "DWM-1" and Account != "UMFD-0" and Account != "AUTORUN" | extend Name = tostring(split(AccountName,'@',0)[0]), UPNSuffix = tostring(split(AccountName,'@',1)[0]) | project-reorder TimeGenerated,AccountName,FileName,ProcessCommandLine,InitiatingProcessCommandLine | extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, FileHashCustomEntity = SHA256

DeviceProcessEvents | where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" | where ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "Win32_Group" or ProcessCommandLine contains "LocalGroup" | project DeviceName, InitiatingProcessAccountName, ProcessCreationTime, ProcessCommandLine | order by ProcessCreationTime desc

DeviceProcessEvents | where FileName == "powershell.exe" and isnotempty(ProcessCommandLine) and (ProcessCommandLine has "Get-WmiObject" or ProcessCommandLine has "wmic") and (ProcessCommandLine has "localgroup" or ProcessCommandLine has "group") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

let psNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let wmi_cmd_patterns = dynamic(["get-wmiobject","gwmi","get-ciminstance","wmic"]); let group_patterns = dynamic(["win32_group","win32_groupuser","associators of {win32_group","wmic group","wmic path win32_group","wmic path win32_groupuser"]); DeviceProcessEvents | where FileName in~ (psNames) | extend Encoded = extract(@"(?i)-(?:enc|encodedcommand)\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine) | extend Decoded = iff(isnotempty(Encoded), base64_decode_tostring(Encoded), "") | extend SearchText = tolower(strcat(ProcessCommandLine, " ", Decoded)) | where SearchText has_any (wmi_cmd_patterns) | where SearchText has_any (group_patterns) or SearchText matches regex @"wmic\s+group(\s|$)" | extend ExecutedCommand = iff(isnotempty(Decoded), Decoded, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessId, ExecutedCommand, InitiatingProcessParentFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

// Search for PowerShell/WMIC activity indicative of local group enumeration via WMI let searchPatterns = dynamic(["get-wmiobject","get-ciminstance","gwmi","win32_groupuser","win32_group","\\\\win32_group","groupuser","wmic","net localgroup","get-localgroup","get-localgroupmember","directoryservices","winnt","samaccount","invoke-wmimethod","__relpath"]); // DeviceProcessEvents (detailed process data) let dpe = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where tolower(FileName) has_any ("powershell","pwsh","wmic","cmd","cscript","wscript") | where tolower(ProcessCommandLine) has_any (searchPatterns) | extend MatchedPattern = extract("(?i)(Get-WmiObject|Get-CimInstance|gwmi|Win32_GroupUser|Win32_Group|wmic|net localgroup|Get-LocalGroup|Get-LocalGroupMember|Invoke-WmiMethod|__RELPATH)", 1, ProcessCommandLine) | project TimeGenerated, Time = TimeGenerated, DeviceName, FileName, ProcessId, AccountName, AccountDomain, ProcessCommandLine, MatchedPattern, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime; // DeviceEvents (some deployments surface process execs here) let de = DeviceEvents | where isnotempty(ProcessCommandLine) | where tolower(FileName) has_any ("powershell","pwsh","wmic","cmd","cscript","wscript") | where tolower(ProcessCommandLine) has_any (searchPatterns) | extend MatchedPattern = extract("(?i)(Get-WmiObject|Get-CimInstance|gwmi|Win32_GroupUser|Win32_Group|wmic|net localgroup|Get-LocalGroup|Get-LocalGroupMember|Invoke-WmiMethod|__RELPATH)", 1, ProcessCommandLine) | project TimeGenerated, Time = TimeGenerated, DeviceName, FileName, ProcessId, AccountName, AccountDomain, ProcessCommandLine, MatchedPattern, InitiatingProcessFileName, InitiatingProcessCommandLine; union dpe, de | sort by Time desc | take 500

let wmiKeywords = dynamic(["Get-WmiObject","Get-CimInstance","Win32_Group","Win32_GroupUser","Win32_UserAccount","GroupComponent","associators of","Select-Object Name, *Group*","Get-LocalGroup","Get-LocalGroupMember","Net localgroup","wmic","Win32_Group.Name","Win32_UserAccount.Name","WHERE Name"]);let psBins = dynamic(["powershell.exe","pwsh.exe","pwsh","powershell_ise.exe","powershell" ]); // DeviceProcessEvents (preferred) let dpe = DeviceProcessEvents | where TimeGenerated >= ago(7d) | where FileName has_any (psBins) or ProcessCommandLine has_any (wmiKeywords) or ProcessCommandLine has_any (psBins) | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_any (wmiKeywords) or FileName has_any (psBins) | extend CommandLine = ProcessCommandLine, SourceTable = "DeviceProcessEvents" | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessId, InitiatingProcess = InitiatingProcessFileName, InitiatingProcessId = InitiatingProcessId, CommandLine, SourceTable; // DeviceEvents (broader) let de = DeviceEvents | where TimeGenerated >= ago(7d) | where FileName has_any (psBins) or ProcessCommandLine has_any (wmiKeywords) or tostring(AdditionalFields.CommandLine) has_any (wmiKeywords) | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields.CommandLine)) | where isnotempty(CommandLine) | extend SourceTable = "DeviceEvents" | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessId, InitiatingProcess = InitiatingProcessFileName, InitiatingProcessId = InitiatingProcessId, CommandLine, SourceTable; union dpe, de | where CommandLine has_any (wmiKeywords) or (FileName has_any (psBins) and CommandLine has "Get-") // If encoded command is present, still include if WMI keywords present; otherwise exclude -encodedcommand to show readable commands | where not(CommandLine has "-encodedcommand") or CommandLine has_any (wmiKeywords) | order by TimeGenerated desc | distinct TimeGenerated, DeviceName, AccountName, FileName, ProcessId, InitiatingProcess, InitiatingProcessId, CommandLine, SourceTable | top 100 by TimeGenerated

let Lookback = 1d; DeviceProcessEvents | where TimeGenerated >= ago(Lookback) | where (tolower(InitiatingProcessFileName) contains "powershell" or tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell") | where (tolower(ProcessCommandLine) contains "get-wmiobject" or tolower(ProcessCommandLine) contains "gwmi" or tolower(ProcessCommandLine) contains "get-ciminstance" or tolower(InitiatingProcessCommandLine) contains "get-wmiobject" or tolower(InitiatingProcessCommandLine) contains "gwmi" or tolower(InitiatingProcessCommandLine) contains "get-ciminstance") | where (tolower(ProcessCommandLine) contains "win32_group" or tolower(ProcessCommandLine) contains "win32_groupuser" or tolower(InitiatingProcessCommandLine) contains "win32_group" or tolower(InitiatingProcessCommandLine) contains "win32_groupuser") | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, InitiatingProcessFileName, InitiatingProcessId, ProcessId

DeviceProcessEvents | where InitiatingProcessCommandLine has_any ("powershell","PowerShell","pwsh","Pwsh") or ProcessCommandLine has_any ("powershell","PowerShell","pwsh","Pwsh") | where ( (ProcessCommandLine has_any ("Get-WmiObject","gwmi","Get-CimInstance") or InitiatingProcessCommandLine has_any ("Get-WmiObject","gwmi","Get-CimInstance")) and ( ProcessCommandLine has_any ("Win32_Group","Win32_GroupUser") or InitiatingProcessCommandLine has_any ("Win32_Group","Win32_GroupUser") ) ) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, InitiatingProcessFileName, InitiatingProcessId, ProcessId | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where InitiatingProcessFileName in ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine contains 'Get-WmiObject' or ProcessCommandLine contains 'Win32_Group' or ProcessCommandLine contains 'group' or ProcessCommandLine contains 'wmi' | project DeviceName, AccountName, ProcessCommandLine, Timestamp | order by Timestamp desc

DeviceProcessEvents | where FileName =~ 'powershell.exe' | where ProcessCommandLine contains 'Get-WmiObject' and ProcessCommandLine contains 'Win32_Group' | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc | limit 100

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("Get-WmiObject", "gwmi") | where ProcessCommandLine has "Win32_Group" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Win32_Group", "Win32_GroupUser") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Get-CimInstance", "gcim") | where ProcessCommandLine has "Win32_Group" // optional: only keep process creation records (not thread injection etc.) | where ActionType == "ProcessCreated" | project TimeGenerated, DeviceName, AccountDomain, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessCommandLine, SHA256 | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ((tolower(InitiatingProcessCommandLine) has "get-wmiobject") or (tolower(ProcessCommandLine) has "get-wmiobject")) and ((tolower(InitiatingProcessCommandLine) has "win32_group") or (tolower(ProcessCommandLine) has "win32_group")) | project TimeGenerated, DeviceName, ExactCommand = iif(isnotempty(InitiatingProcessCommandLine), InitiatingProcessCommandLine, ProcessCommandLine) | sort by TimeGenerated desc

union DeviceProcessEvents, DeviceEvents | extend PSCommand = coalesce(InitiatingProcessCommandLine, ProcessCommandLine, tostring(AdditionalFields.CommandLine)) | where tolower(PSCommand) contains "powershell" | where tolower(PSCommand) contains "win32_group" and (tolower(PSCommand) contains "get-wmiobject" or tolower(PSCommand) contains "gwmi") | project TimeGenerated, DeviceName, AccountName, PSCommand | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "powershell" | where ProcessCommandLine has_any ("Win32_Group", "Get-WmiObject", "Invoke-WmiMethod", "wmic group") | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine | sort by TimeGenerated desc