Query Details
CSC Suspicious Executions
Query
Tags Query: DeviceProcessEvents | where ProcessVersionInfoFileDescription == @"Visual C# Command Line Compiler" | where InitiatingProcessParentFileName == @"cmd.exe" | where InitiatingProcessCommandLine !contains @"google\mFit" | where InitiatingProcessCommandLine !contains @"[Elam]::InstallWdBoot" Rerences:
Explanation
The query is filtering the DeviceProcessEvents data based on certain conditions. It is looking for events where the ProcessVersionInfoFileDescription is "Visual C# Command Line Compiler" and the InitiatingProcessParentFileName is "cmd.exe". It is also excluding events where the InitiatingProcessCommandLine contains "google\mFit" or "[Elam]::InstallWdBoot".
Details
Ali Hussein
Released: September 19, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ProcessVersionInfoFileDescription,VisualC#CommandLineCompiler,InitiatingProcessParentFileName,cmd.exe,InitiatingProcessCommandLine,google\mFit,[Elam]::InstallWdBoot
Operators
|==@"Visual C# Command Line Compiler"where==@"cmd.exe"|where!contains@"google\mFit"|where!contains@"[Elam]::InstallWdBoot"