Query Details
Getsystem
Query
Tags: Query: DeviceProcessEvents | where FileName ==@"cmd.exe" and ProcessCommandLine has_all ( "echo", "pipe") References:
Explanation
The query is looking for DeviceProcessEvents where the FileName is "cmd.exe" and the ProcessCommandLine contains both "echo" and "pipe".
Details
Ali Hussein
Released: September 19, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine
Operators
|where==@andhas_all