CSC Suspicious Executions
Query
Tags
Query:
DeviceProcessEvents
| where ProcessVersionInfoFileDescription == @"Visual C# Command Line Compiler"
| where InitiatingProcessParentFileName == @"cmd.exe" | where InitiatingProcessCommandLine !contains @"google\mFit" | where InitiatingProcessCommandLine !contains @"[Elam]::InstallWdBoot"
Rerences:Explanation
The query is filtering the DeviceProcessEvents data based on certain conditions. It is looking for events where the ProcessVersionInfoFileDescription is "Visual C# Command Line Compiler" and the InitiatingProcessParentFileName is "cmd.exe". It is also excluding events where the InitiatingProcessCommandLine contains "google\mFit" or "[Elam]::InstallWdBoot".
Details

Ali Hussein
Released: September 19, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsProcessVersionInfoFileDescriptionVisual C# Command Line CompilerInitiatingProcessParentFileNamecmd.exeInitiatingProcessCommandLinegoogle\mFit[Elam]::InstallWdBoot
Operators
|==@"Visual C# Command Line Compiler"where@"cmd.exe"!contains@"google\mFit"@"[Elam]::InstallWdBoot"