Question Analysis

DeviceProcessEvents | where FileName in~ ("wmic.exe", "powershell.exe", "net.exe", "fsutil.exe") | where (FileName =~ "wmic.exe" and ProcessCommandLine contains "logicaldisk get caption") or (FileName =~ "powershell.exe" and ProcessCommandLine contains "Get-PSDrive" and ProcessCommandLine contains "FileSystem") or (FileName =~ "net.exe" and ProcessCommandLine contains "use") or (FileName =~ "fsutil.exe" and ProcessCommandLine contains "fsinfo drives") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName

DeviceProcessEvents | where ProcessCommandLine contains 'net use' or ProcessCommandLine contains 'wmic logicaldisk list' | project ProcessCommandLine, TimeGenerated

DeviceProcessEvents | where ActionType == 'ProcessCreated' | where (ProcessCommandLine has 'diskpart' and (ProcessCommandLine has_any('list', 'volume', 'disk'))) or (ProcessCommandLine has 'wmic' and (ProcessCommandLine has 'logicaldisk' or ProcessCommandLine has 'volume')) or (ProcessCommandLine has 'net' and ProcessCommandLine has 'use') | project DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, TimeGenerated

DeviceProcessEvents | where FileName in~ ("wmic.exe", "diskpart.exe", "mountvol.exe", "fsutil.exe", "cmd.exe", "powershell.exe") | where ProcessCommandLine has_any ("logicaldisk", "list disk", "list volume", "mountvol", "fsutil", "drives", "get-psdrive") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where Timestamp > ago(7d) | where (FileName == "net.exe" or FileName == "net1.exe") | extend cmd = tostring(split(ProcessCommandLine, "/")[0]) | where cmd contains "use" | project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FileName, InitiatingProcessAccountDomain | extend Account = strcat(InitiatingProcessAccountDomain, "/", InitiatingProcessAccountName)

DeviceProcessEvents | where ProcessCommandLine has_any ("mountvol", "net use", "wmic logicaldisk", "fsutil fsinfo drives") or FileName has_any ("mountvol.exe", "net.exe", "wmic.exe", "fsutil.exe") | extend Utility = case( FileName has "mountvol", "mountvol", FileName has "net", "net", FileName has "wmic", "wmic", FileName has "fsutil", "fsutil", "Other" ) | summarize Count = count(), Earliest = min(TimeGenerated), Latest = max(TimeGenerated) by Utility | where Utility != "Other"

DeviceProcessEvents | where FileName in ("cmd.exe", "powershell.exe", "wmic.exe", "diskpart.exe") | where isnotempty(ProcessCommandLine) and (ProcessCommandLine has_any ("list", "select", "disk", "volume", "get", "drive")) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName

let patterns = datatable(Tool:string, Proc:string, CmdSubstr:string) [ "WMIC LogicalDisk","wmic.exe","logicaldisk", "WMIC LogicalDisk (get)","wmic.exe","logicaldisk get", "WMIC Volume","wmic.exe","volume get", "FSUTIL FSINFO DRIVES","fsutil.exe","fsinfo drives", "NET USE","net.exe"," use", "MOUNTVOL","mountvol.exe","mountvol", "DISKPART list volume","diskpart.exe","list volume", "DISKPART list disk","diskpart.exe","list disk", "PowerShell Get-PSDrive","powershell.exe","get-psdrive", "PowerShell Get-PSDrive (FileSystem)","powershell.exe","-psprovider filesystem", "PowerShell Get-Volume","powershell.exe","get-volume", "PowerShell Win32_LogicalDisk (WMI)","powershell.exe","win32_logicaldisk", "PowerShell Get-CimInstance LogicalDisk","powershell.exe","get-ciminstance", "PowerShell Get-Disk","powershell.exe","get-disk", "PowerShell Get-Partition","powershell.exe","get-partition", "pwsh Get-PSDrive","pwsh.exe","get-psdrive" ]; DeviceProcessEvents | extend proc = tolower(FileName), cmd = tolower(ProcessCommandLine) | where proc in ("wmic.exe","fsutil.exe","net.exe","mountvol.exe","diskpart.exe","powershell.exe","pwsh.exe") | join kind=inner ( patterns | extend proc = tolower(Proc), patt = tolower(CmdSubstr) | project Tool, proc, patt ) on proc | where cmd has patt | project TimeGenerated, DeviceName, AccountDomain, AccountName, Tool, FileName=proc, ProcessCommandLine | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExecCount=count(), ExampleCommand=any(ProcessCommandLine) by Tool, DeviceName | order by LastSeen desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend cmd = tolower(tostring(ProcessCommandLine)), fname = tolower(tostring(FileName)) // Find likely drive-enumeration activity by keywords or executable names | where ( cmd contains "wmic logicaldisk" or cmd contains "wmic" or cmd contains "get-psdrive" or cmd contains "get-volume" or cmd contains "get-partition" or cmd contains "get-disk" or (cmd contains "get-ciminstance" and cmd contains "logicaldisk") or (cmd contains "get-wmiobject" and cmd contains "logicaldisk") or cmd contains "win32_logicaldisk" or cmd contains "fsutil" or cmd contains "fsinfo" or cmd contains "diskpart" or cmd contains "list volume" or cmd contains "list disk" or cmd contains "mountvol" or cmd contains "net use" or cmd contains "net view" or cmd contains "net share" or fname in ("wmic.exe","fsutil.exe","diskpart.exe","mountvol.exe","net.exe","powershell.exe","pwsh.exe") or fname contains "powershell" or fname contains "pwsh" ) | extend matched_utility = case( cmd contains "wmic" or fname contains "wmic.exe", "wmic", cmd contains "get-psdrive", "powershell:Get-PSDrive", cmd contains "get-volume", "powershell:Get-Volume", (cmd contains "get-ciminstance" and cmd contains "logicaldisk") or (cmd contains "get-wmiobject" and cmd contains "logicaldisk") or cmd contains "win32_logicaldisk", "powershell:Get-CimInstance/Get-WmiObject Win32_LogicalDisk", cmd contains "fsutil" or fname contains "fsutil.exe", "fsutil", cmd contains "diskpart" or fname contains "diskpart.exe", "diskpart", cmd contains "mountvol" or fname contains "mountvol.exe", "mountvol", cmd contains "net use" or cmd contains "net view" or cmd contains "net share" or fname == "net.exe", "net", (fname contains "powershell" or fname contains "pwsh") and (cmd contains "get-psdrive" or cmd contains "get-volume" or cmd contains "get-ciminstance" or cmd contains "get-wmiobject" or cmd contains "win32_logicaldisk"), "powershell:drive-enumeration", fname contains "powershell" or fname contains "pwsh", "powershell (other)", "other") | where matched_utility != "other" // Summary to identify which native utility was used | summarize count = count(), sample_command = any(ProcessCommandLine), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated), devices = make_set(DeviceName, 20), users = make_set(InitiatingProcessAccountName, 20) by matched_utility | order by count desc

// Find native Windows utilities that enumerate drives: mountvol, fsutil, diskpart, wmic logicaldisk, powershell Get-PSDrive, Get-CimInstance Win32_LogicalDisk let keywords = dynamic(["mountvol","fsutil","diskpart","wmic logicaldisk","wmic logicaldisk get","Get-PSDrive","Get-CimInstance","Win32_LogicalDisk","Get-WmiObject Win32_LogicalDisk","Get-CimInstance Win32_LogicalDisk","Get-WmiObject"]); // Search DeviceProcessEvents for matching process/file names or command lines let procMatches = DeviceProcessEvents | where array_length(keywords) == array_length(keywords) // no-op to keep let | where tolower(ProcessCommandLine) has_any (dynamic(["mountvol","fsutil","diskpart","wmic","get-psdrive","get-ciminstance","win32_logicaldisk","get-wmiobject"])) | extend match_term = case( tolower(FileName) contains "mountvol" or tolower(ProcessCommandLine) contains "mountvol", "mountvol", tolower(FileName) contains "fsutil" or tolower(ProcessCommandLine) contains "fsutil", "fsutil", tolower(FileName) contains "diskpart" or tolower(ProcessCommandLine) contains "diskpart", "diskpart", tolower(ProcessCommandLine) contains "wmic" and tolower(ProcessCommandLine) contains "logicaldisk", "wmic logicaldisk", tolower(ProcessCommandLine) contains "get-psdrive", "Get-PSDrive", tolower(ProcessCommandLine) contains "get-ciminstance" or tolower(ProcessCommandLine) contains "win32_logicaldisk", "Get-CimInstance", tolower(ProcessCommandLine) contains "get-wmiobject" , "Get-WmiObject", "other") | summarize count=count(), firstTime=min(TimeGenerated), lastTime=max(TimeGenerated), sample_commandlines=make_set(ProcessCommandLine,10), sample_files=make_set(FileName,10) by match_term, DeviceName, InitiatingProcessAccountName ; // Also search DeviceEvents and DeviceFileEvents for additional evidence let otherMatches = ( DeviceEvents | where tolower(ProcessCommandLine) has_any (dynamic(["mountvol","fsutil","diskpart","wmic","get-psdrive","get-ciminstance","win32_logicaldisk","get-wmiobject"])) | extend match_source = "DeviceEvents", match_command = ProcessCommandLine, match_file = FileName | project TimeGenerated, DeviceName, InitiatingProcessAccountName, match_source, match_file, match_command ) | union ( DeviceFileEvents | where tolower(InitiatingProcessCommandLine) has_any (dynamic(["mountvol","fsutil","diskpart","wmic","get-psdrive","get-ciminstance","win32_logicaldisk","get-wmiobject"])) | extend match_source = "DeviceFileEvents", match_command = InitiatingProcessCommandLine, match_file = FileName | project TimeGenerated, DeviceName, InitiatingProcessAccountName, match_source, match_file, match_command ) | top 100 by TimeGenerated desc ; procMatches | order by count desc, firstTime desc | join kind=leftouter (otherMatches) on DeviceName | project match_term, DeviceName, InitiatingProcessAccountName, count, firstTime, lastTime, sample_commandlines, sample_files, other_Time=TimeGenerated, other_source=match_source, other_file=match_file, other_command=match_command | take 200

let utilities = dynamic(["mountvol","fsutil","diskpart","wmic","wmic.exe","powershell","pwsh","get-psdrive","net use","dir","Get-WmiObject","gwmi","Get-CimInstance","cscript","wscript"]); let detectFromProc = DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend ProcLower = tolower(coalesce(FileName, InitiatingProcessFileName, "")), CmdLineLower = tolower(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "")) | mv-expand util=utilities | where ProcLower contains util or CmdLineLower contains util | extend DetectedUtility = case( ProcLower contains "mountvol" or CmdLineLower contains "mountvol","mountvol", ProcLower contains "fsutil" or CmdLineLower contains "fsutil","fsutil", ProcLower contains "diskpart" or CmdLineLower contains "diskpart","diskpart", ProcLower contains "wmic" or CmdLineLower contains "wmic","wmic", ProcLower contains "powershell" or CmdLineLower contains "pwsh" or CmdLineLower contains "get-psdrive","powershell", CmdLineLower contains "get-psdrive","powershell", CmdLineLower contains "get-wmiobject" or CmdLineLower contains "gwmi" or CmdLineLower contains "get-ciminstance","wmi", CmdLineLower contains "net use" or ProcLower contains "net.exe","net use", CmdLineLower contains "dir" and (CmdLineLower contains ":\\" or CmdLineLower contains " /s"),"dir", CmdLineLower contains "cscript" or CmdLineLower contains "wscript","cscript/wscript", "other") | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, DetectedUtility ; let detectFromEvents = DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend ProcLower = tolower(coalesce(FileName, InitiatingProcessFileName, "")), CmdLineLower = tolower(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "")) | mv-expand util=utilities | where ProcLower contains util or CmdLineLower contains util | extend DetectedUtility = case( ProcLower contains "mountvol" or CmdLineLower contains "mountvol","mountvol", ProcLower contains "fsutil" or CmdLineLower contains "fsutil","fsutil", ProcLower contains "diskpart" or CmdLineLower contains "diskpart","diskpart", ProcLower contains "wmic" or CmdLineLower contains "wmic","wmic", ProcLower contains "powershell" or ProcLower contains "pwsh" or CmdLineLower contains "get-psdrive","powershell", CmdLineLower contains "get-psdrive","powershell", CmdLineLower contains "get-wmiobject" or CmdLineLower contains "gwmi" or CmdLineLower contains "get-ciminstance","wmi", CmdLineLower contains "net use" or ProcLower contains "net.exe","net use", CmdLineLower contains "dir" and (CmdLineLower contains ":\\" or CmdLineLower contains " /s"),"dir", CmdLineLower contains "cscript" or CmdLineLower contains "wscript","cscript/wscript", "other") | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, DetectedUtility ; union detectFromProc, detectFromEvents | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DetectedUtility, DeviceName | order by Count desc, LastSeen desc | where DetectedUtility != "other" and DetectedUtility != "" | take 100

DeviceProcessEvents | where InitiatingProcessFileName in ("wmic.exe","wmic","diskpart.exe","diskpart","fsutil.exe","fsutil","powershell.exe","powershell","cmd.exe","cmd") | where (InitiatingProcessCommandLine has_any("logicaldisk","Win32_LogicalDisk","Get-PSDrive","Get-Disk","DiskPart","wmic","Get-WmiObject","Enumerate","ListVolume","ListDisk") or ProcessCommandLine has_any("logicaldisk","Win32_LogicalDisk","Get-PSDrive","Get-Disk","DiskPart","wmic","Get-WmiObject","Enumerate","ListVolume","ListDisk")) | project TimeGenerated, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessId, ProcessId, DeviceName | sort by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName in ('diskpart.exe', 'fsutil.exe', 'wmic.exe') or InitiatingProcessFileName in ('diskpart.exe', 'fsutil.exe', 'wmic.exe') | project UtilityName = FileName, CommandLine = ProcessCommandLine, DeviceName, AccountName, ProcessCreationTime | order by ProcessCreationTime desc

DeviceProcessEvents | where ProcessCommandLine contains "logicaldisk" or ProcessCommandLine contains "drives" or ProcessCommandLine contains "mountvol" or ProcessCommandLine contains "net use" | distinct FileName

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("cmd.exe", "powershell.exe", "net.exe", "wmic.exe", "fsutil.exe", "diskpart.exe", "mountvol.exe") | where ProcessCommandLine has_any ("net use", "wmic logicaldisk", "Get-WmiObject Win32_LogicalDisk", "Get-PSDrive", "fsutil volume", "diskpart", "mountvol") | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine | order by TimeGenerated desc

// Search process execution events for enumerating drives (e.g., using net.exe, mountvol.exe, wmic.exe) DeviceProcessEvents | where // Filter for timeframe in portal. E.g., TimeGenerated >= startofday(ago(7d)) (FileName in~ ("net.exe", "wmic.exe", "mountvol.exe", "cmd.exe", "powershell.exe")) and ( ProcessCommandLine has "net use" or ProcessCommandLine has "wmic logicaldisk" or ProcessCommandLine has "mountvol" or ProcessCommandLine has "Get-PSDrive" ) | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("net.exe", "wmic.exe", "diskpart.exe", "fsutil.exe", "vol.exe") | where ProcessCommandLine has_any ("use", "logicaldisk", "list", "drive") | summarize EventCount=count() by FileName, ProcessCommandLine | sort by EventCount desc

DeviceProcessEvents | where tolower(InitiatingProcessFileName) in ("wmic.exe", "fsutil.exe", "net.exe") | where tolower(InitiatingProcessCommandLine) contains "logicaldisk" or tolower(InitiatingProcessCommandLine) contains "drives" or tolower(InitiatingProcessCommandLine) contains "use" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine | summarize Count = count() by InitiatingProcessFileName, bin(TimeGenerated, 1h) | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has_any ("logicaldisk", "fsinfo", "Get-PSDrive", "net use", "mountvol", "list volume") | summarize InvocationCount = count() by FileName | order by InvocationCount desc

DeviceProcessEvents | where FileName in~ ("fsutil.exe", "mountvol.exe", "diskpart.exe", "wmic.exe", "powershell.exe", "net.exe") // Identify only those invocations that enumerate connected drives | where (tolower(FileName) == "fsutil.exe" and ProcessCommandLine has "fsinfo drives") or (tolower(FileName) == "mountvol.exe") or (tolower(FileName) == "diskpart.exe" and ProcessCommandLine has_any ("list disk", "list volume")) or (tolower(FileName) == "wmic.exe" and ProcessCommandLine has "logicaldisk") or (tolower(FileName) == "powershell.exe"and ProcessCommandLine has "get-psdrive") or (tolower(FileName) == "net.exe" and ProcessCommandLine has "use") | project Timestamp, DeviceName, Utility=FileName, Command=ProcessCommandLine | summarize UsageCount = count(), SampleDevices = make_set(DeviceName, 5), SampleCommands = make_set(Command, 5) by Utility | sort by UsageCount desc