KQL Search

Query Details

HomeAI ToolsDevice Query

CS Sacricial Processes

Query

Tags:

Query:

DeviceProcessEvents
| where FileName has_any ("rundll32.exe","werfault.exe", "searchprotocolhost.exe", "gpupdate.exe", "regsvr32.exe", "svchost.exe", "msiexec.exe")
| where ProcessCommandLine matches regex "^$" 


References:

Explanation

This KQL (Kusto Query Language) query is designed to search through device process events to find specific processes that have been executed without any command line arguments. Here's a simple breakdown:

  1. Data Source: The query looks at DeviceProcessEvents, which contains information about processes that have run on devices.

  2. Filter by FileName: It filters the events to include only those where the FileName is one of the following:

    • rundll32.exe
    • werfault.exe
    • searchprotocolhost.exe
    • gpupdate.exe
    • regsvr32.exe
    • svchost.exe
    • msiexec.exe

  3. Filter by Command Line: It further filters these events to include only those where the ProcessCommandLine is empty (i.e., there are no command line arguments). This is done using a regular expression (^$) that matches an empty string.

In summary, the query identifies instances where specific system processes have been executed without any command line arguments.

Details

Ali Hussein profile picture

Ali Hussein

Released: December 4, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

has_anymatches regex

Actions