Question Analysis

DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' | where ProcessCommandLine contains 'http' or ProcessCommandLine contains '.ps1' // Filter for potential external downloads or script executions | extend ScriptFile = extract(@'-File\s+([^\s]+)@', 1, ProcessCommandLine) // Extract the script file name from the command line | where isnotnull(ScriptFile) // Ensure only rows with a detected script file are kept | summarize arg_max(TimeGenerated, *) by ScriptFile // Summarize to get the most recent event per script file | project ScriptFile, TimeGenerated, DeviceName, ProcessCommandLine // Project key fields for review

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("Invoke-WebRequest", "WebClient", "DownloadString", "Invoke-Expression", "IEX") | extend DownloadedScript = extract(@'([^/]+\.(?:ps1|psm1|ps))', 1, tostring(ProcessCommandLine)) | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, DownloadedScript | order by TimeGenerated desc

// Investigate PowerShell-based downloads and execution of a script DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessFileName =~ "powershell.exe" or FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("System.Net.WebClient", "Invoke-WebRequest", "iwr", "wget", "curl", "bitsadmin", "Start-BitsTransfer", "Invoke-WebClient", "iex") or InitiatingProcessCommandLine has_any ("System.Net.WebClient", "Invoke-WebRequest", "iwr", "wget", "curl", "bitsadmin", "Start-BitsTransfer", "Invoke-WebClient", "iex") | extend DownloadedScript = extract(@"([\w\-.]+\.ps1)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, DownloadedScript | order by TimeGenerated desc

DeviceProcessEvents | where tolower(InitiatingProcessFileName) has "powershell.exe" | where InitiatingProcessCommandLine contains "http" and InitiatingProcessCommandLine contains ".ps1" | extend ScriptURL = extract(@"(https?://\S+\.ps1)", 1, InitiatingProcessCommandLine) | extend ScriptFileName = extract(@"([^/\s]+\.ps1)", 1, ScriptURL) | where isnotempty(ScriptFileName) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ScriptURL, ScriptFileName | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "powershell.exe" | where (ProcessCommandLine contains "http" or InitiatingProcessCommandLine contains "http") and (ProcessCommandLine contains ".ps1" or InitiatingProcessCommandLine contains ".ps1") | extend CombinedCmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend ScriptName = extract(@"([^/\\]+\.ps1)", 0, CombinedCmdLine) | where isnotempty(ScriptName) | project TimeGenerated, DeviceName, ScriptName, ProcessCommandLine, InitiatingProcessCommandLine

DeviceProcessEvents // (Time filter is applied externally) | where FileName endswith "powershell.exe" or FileName endswith "pwsh.exe" | where ProcessCommandLine has_any ("DownloadFile", "DownloadString", "Invoke-WebRequest", "WebClient", "-OutFile") | extend ScriptFromDownloadFile = extract(@"(?i)DownloadFile\(\s*'https?://[^/]+/([^']+)'", 1, ProcessCommandLine) | extend ScriptFromDownloadString = extract(@"(?i)DownloadString\(\s*'https?://[^/]+/([^']+\.ps1)'", 1, ProcessCommandLine) | extend ScriptFromOutFile = extract(@"(?i)-OutFile\s*'([^']+\.ps1)'", 1, ProcessCommandLine) | extend ScriptFile = coalesce(ScriptFromDownloadFile, ScriptFromDownloadString, ScriptFromOutFile) | where isnotempty(ScriptFile) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ScriptFile, ProcessCommandLine | sort by TimeGenerated desc