Query Details
Device First Time Who Am I
Query
//Detect when a 'whoami' command is sent for the first time from a device & account combination not seen before
//Data connector required for this query - M365 Defender - Device* tables
DeviceProcessEvents
| where TimeGenerated > ago (30d) and TimeGenerated < ago(1d)
| project DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| where InitiatingProcessCommandLine contains "whoami"
| distinct DeviceName, InitiatingProcessAccountName
| join kind=rightanti (
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine
| where InitiatingProcessCommandLine contains "whoami"
)
on DeviceName, InitiatingProcessAccountNameExplanation
This query looks for instances where a 'whoami' command is sent for the first time from a device and account combination that has not been seen before. It uses the M365 Defender - Device* tables as the data source. The query filters DeviceProcessEvents based on a time range and selects the DeviceName, InitiatingProcessAccountName, and InitiatingProcessCommandLine columns. It then filters for rows where the InitiatingProcessCommandLine contains "whoami". The distinct operator is used to get unique combinations of DeviceName and InitiatingProcessAccountName. The query then performs a right anti-join with another set of DeviceProcessEvents data from the past day, filtering for rows where the InitiatingProcessCommandLine contains "whoami". The join is performed based on the DeviceName and InitiatingProcessAccountName columns.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators