KQL Search

Query Details

HomeAI ToolsDevice Query

Endpoint Ps Exec Hunting LMP

Query

name : Lateral movement - hunting for PsExec activities
description : 
- Case1 - hunt for "psexec" activities with DeviceProcessEvents, DeviceEvents 
- Case2 - hunt for "psexec" activities with DeviceNetworkEvents 
KQL : 
- InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event
- ProcessCommandLine         	 | string | Command line used to create the new process
reference : 
- PsExec - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
table : 
- DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceNetworkEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide
query : |
   //Case1 - hunt for "psexec" activities with DeviceProcessEvents, DeviceEvents 
   union DeviceProcessEvents, DeviceEvents      
   | where Timestamp > ago(30d)    
   | where InitiatingProcessFileName =~ "PsExec.exe" or FileName =~ "PsExec.exe"    
   | where InitiatingProcessCommandLine has "psexec" or ProcessCommandLine has "psexec"    
   | summarize make_set(ProcessCommandLine) by DeviceId, DeviceName


   //Case2 - hunt for "psexec" activities with DeviceNetworkEvents
   DeviceNetworkEvents      
   | where Timestamp > ago(30d)    
   | where InitiatingProcessFileName =~ "PsExec.exe"
   | where InitiatingProcessCommandLine has "psexec"
   | summarize make_set(InitiatingProcessCommandLine) by DeviceId, DeviceName

Explanation

This query is used to hunt for "psexec" activities in different tables.

In Case 1, it searches for "psexec" activities in the DeviceProcessEvents and DeviceEvents tables. It filters the results based on a specific time range and checks if the InitiatingProcessFileName or FileName contains "PsExec.exe". It also checks if the InitiatingProcessCommandLine or ProcessCommandLine contains "psexec". Finally, it summarizes the results by DeviceId and DeviceName, creating a set of unique ProcessCommandLines.

In Case 2, it searches for "psexec" activities in the DeviceNetworkEvents table. It follows a similar process as Case 1, filtering the results based on time, InitiatingProcessFileName, and InitiatingProcessCommandLine. It then summarizes the results by DeviceId and DeviceName, creating a set of unique InitiatingProcessCommandLines.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: March 3, 2023

Tables

DeviceProcessEventsDeviceEventsDeviceNetworkEvents

Keywords

Keywords:Lateralmovement,hunting,PsExec,DeviceProcessEvents,DeviceEvents,DeviceNetworkEvents,InitiatingProcessCommandLine,ProcessCommandLine,reference,table,query,Timestamp,ago,InitiatingProcessFileName,FileName,DeviceId,DeviceName.

Operators

toscalar()arg_max()count()mv-expandunionwheresummarizemake_set

Actions