Question Analysis

DeviceProcessEvents | where InitiatingProcessFileName == "powershell.exe" | where ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "Win32_PnPEntity" | project InitiatingProcessCommandLine, InitiatingProcessFileName, DeviceName, ProcessCreationTime

let targetRegex = @"(?i)\b(Get-?WmiObject|gwmi|Get-?CimInstance|gcim|Get-?PnpDevice|Get-?PnpDeviceProperty)\b"; union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents | extend CommandLine = coalesce(tostring(ProcessCommandLine), tostring(InitiatingProcessCommandLine), ""), ProcFile = tolower(coalesce(tostring(FileName), tostring(InitiatingProcessFileName), tostring(ProcessVersionInfoOriginalFileName), "")) // Focus on PowerShell processes to reduce noise | where ProcFile contains "powershell" or ProcFile contains "pwsh" // Require presence of PnP/WMI/CIM keywords in the command line | where CommandLine has_any ("Win32_PnPEntity","PnPDevice","PnPEntity","PnP","Get-WmiObject","gwmi","Get-CimInstance","gcim","Get-PnpDevice","Get-PnpDeviceProperty") // Extract the invoked cmdlet if present | extend MatchedCmdlet = extract(targetRegex, 1, CommandLine) | extend MatchedCmdlet = case(isnotempty(MatchedCmdlet), MatchedCmdlet, CommandLine has "Win32_PnPEntity", "Win32_PnPEntity", "(unknown)") // Aggregate to answer which cmdlet(s) performed the hardware inventory | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExampleCommand = any(CommandLine), ExampleDevice = any(DeviceName) by MatchedCmdlet | order by LastSeen desc

// Find PowerShell activity enumerating PnP entities via WMI let wmiIndicators = dynamic(["Get-WmiObject","Get-CimInstance","Win32_PnPEntity","Win32_PnPDevice","PNPEntity","Win32_PnPEntity","Win32_PnPDevice","SELECT * FROM Win32_PnPEntity","Get-CimInstance -ClassName Win32_PnPEntity"]); // Search DeviceProcessEvents for PowerShell processes and DeviceEvents for process creations invoking PowerShell let psProcesses = ( DeviceProcessEvents | where ProcessCommandLine has "powershell" or ProcessCommandLine has "pwsh" or ProcessCommandLine has "PowerShell" or ProcessCommandLine has "pwsh.exe" | where array_length(wmiIndicators) > 0 | extend cmdline_lc = tolower(ProcessCommandLine) | where cmdline_lc has "get-wmiobject" or cmdline_lc has "get-ciminstance" or cmdline_lc has "win32_pnpentity" or cmdline_lc has "win32_pnpdevice" or cmdline_lc has "win32_pnp" | extend InvokedCmdlet = case( cmdline_lc has "get-wmiobject","Get-WmiObject", cmdline_lc has "get-ciminstance","Get-CimInstance", cmdline_lc has "gwmi","Get-WmiObject", cmdline_lc has "gcim","Get-CimInstance", "Other" ) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine, InvokedCmdlet ); let psFromDeviceEvents = ( DeviceEvents | where ProcessCommandLine has "powershell" or ProcessCommandLine has "pwsh" or ProcessCommandLine has "PowerShell" or ProcessCommandLine has "pwsh.exe" | extend cmdline_lc = tolower(ProcessCommandLine) | where cmdline_lc has "get-wmiobject" or cmdline_lc has "get-ciminstance" or cmdline_lc has "win32_pnpentity" or cmdline_lc has "win32_pnpdevice" or cmdline_lc has "win32_pnp" | extend InvokedCmdlet = case( cmdline_lc has "get-wmiobject","Get-WmiObject", cmdline_lc has "get-ciminstance","Get-CimInstance", cmdline_lc has "gwmi","Get-WmiObject", cmdline_lc has "gcim","Get-CimInstance", "Other" ) | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, InvokedCmdlet ); psProcesses | union psFromDeviceEvents | summarize Count = count(), SampleCommandLines = make_set(ProcessCommandLine, 5) by InvokedCmdlet | order by Count desc | project InvokedCmdlet, Count, SampleCommandLines

let wmi_cmds_regex = @"(?i)\b(get-wmiobject|get-ciminstance|invoke-cimmethod|get-pnpdevice|get-pnpdeviceproperty|new-object\s+system.management.managementobjectsearcher|\[wmiclass\])\b"; let wmi_classes_regex = @"(?i)\b(Win32_PnPEntity|Win32_PnPDevice|Win32_USBControllerDevice|Win32_PnPAllocatedResource|Win32_PnPSignedDriver|Win32_USBHub)\b"; let proc_matches = DeviceProcessEvents | where (tolower(FileName) has "powershell" or tolower(InitiatingProcessFileName) has "powershell") or ProcessCommandLine matches regex wmi_cmds_regex or ProcessCommandLine matches regex wmi_classes_regex | extend MatchedCmdlet = extract(wmi_cmds_regex, 1, ProcessCommandLine) | extend MatchedClass = extract(wmi_classes_regex, 1, ProcessCommandLine) | extend Detected = tostring(coalesce(MatchedCmdlet, MatchedClass, "Unknown")) | project TimeGenerated, DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, Detected; let event_matches = DeviceEvents | where (tolower(FileName) has "powershell" or tolower(InitiatingProcessFileName) has "powershell") or ProcessCommandLine matches regex wmi_cmds_regex or ProcessCommandLine matches regex wmi_classes_regex or tostring(AdditionalFields) matches regex wmi_cmds_regex | extend MatchedCmdlet = extract(wmi_cmds_regex, 1, ProcessCommandLine) | extend MatchedClass = extract(wmi_classes_regex, 1, ProcessCommandLine) | extend MatchedInAdditional = extract(wmi_cmds_regex, 1, tostring(AdditionalFields)) | extend Detected = tostring(coalesce(MatchedCmdlet, MatchedClass, MatchedInAdditional, "Unknown")) | project TimeGenerated, DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, Detected; proc_matches | union event_matches | where Detected != "Unknown" | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Examples = make_set(ProcessCommandLine, 5) by Detected, DeviceName, Account | order by LastSeen desc | take 200