Query Details
Enumeration Shortperiod
Query
Tags: Query: DeviceProcessEvents | where InitiatingProcessParentFileName =~ "cmd.exe" and FileName in ( "tasklist.exe","arp.exe", "at.exe", "attrib.exe", "dsquery.exe", "hostname.exe", "ipconfig.exe", "mimikatz.exe", "nbtstat.exe", "net.exe", "netsh.exe", "nslookup.exe", "ping.exe", "quser.exe", "qwinsta.exe", "reg.exe", "runas.exe", "schtasks.exe", "ssh.exe", "systeminfo.exe", "taskkill.exe", "telnet.exe", "tracert.exe", "wscript.exe", "xcopy.exe", "pscp.exe", "copy.exe", "robocopy.exe", "certutil.exe", "vssadmin.exe", "wevtutil.exe", "psexec.exe", "bcedit.exe", "wbadmin.exe", "icacls.exe", "diskpart.exe") and InitiatingProcessParentFileName != @"services.exe" | summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId),DiscoveryCommands = dcount(ProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(ProcessCommandLine) by DeviceId, DeviceName, bin(Timestamp, 30m) | where DiscoveryCommands >= 3 References:
Explanation
The query is looking for DeviceProcessEvents where the InitiatingProcessParentFileName is "cmd.exe" and the FileName is one of the specified values. It also excludes events where the InitiatingProcessParentFileName is "services.exe". The query then summarizes the results by DeviceId, DeviceName, and a 30-minute time bin, and selects the maximum Timestamp and ReportId for each group. It also counts the number of unique DiscoveryCommands and creates sets of unique InitiatingProcessFileName, FileName, and ProcessCommandLine values. Finally, it filters the results to only include groups where the DiscoveryCommands count is greater than or equal to 3.
Details
Ali Hussein
Released: September 19, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User
Operators
==~in!=arg_maxdcountmake_setsummarizebybin>=