Query Details
MDE Most Recent Powershell Executions By Compromised Device
Query
# Show the last 100 Powershell executions from a compromised device
----
### Defender For Endpoint
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where AccountName != "system" // If you suspect that the system user is compromised, remove this filter.
| where InitiatingProcessFileName == "powershell.exe"
| sort by Timestamp
| top 100 by Timestamp
| project
Timestamp,
DeviceName,
ActionType,
FileName,
ProcessCommandLine,
AccountDomain,
AccountName,
InitiatingProcessCommandLine
```
### Sentinel
```
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where AccountName != "system" // If you suspect that the system user is compromised, remove this filter.
| where InitiatingProcessFileName == "powershell.exe"
| sort by TimeGenerated
| top 100 by TimeGenerated
| project
TimeGenerated,
DeviceName,
ActionType,
FileName,
ProcessCommandLine,
AccountDomain,
AccountName,
InitiatingProcessCommandLine
```
Explanation
The query shows the last 100 instances of Powershell executions from a compromised device. It retrieves information such as the timestamp, device name, action type, file name, process command line, account domain, account name, and initiating process command line. The query can be used in either Defender for Endpoint or Sentinel.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceProcessEvents
Keywords
Device,Powershell,CompromisedDevice,DefenderForEndpoint,Sentinel
Operators
letwhereagosort bytopproject