Query Details
WMISBM Exec
Query
Tags: Query: DeviceProcessEvents | where FileName == @"cmd.exe" and ProcessCommandLine contains @"2>" and ProcessCommandLine contains @"$" References:
Explanation
This KQL (Kusto Query Language) query is designed to search through device process events to find instances where the command prompt executable (cmd.exe) was used. Specifically, it looks for command lines that include both a redirection operator (2>) and a dollar sign ($).
In simple terms, the query is looking for instances where cmd.exe was run with commands that involve error redirection and include a dollar sign in the command line.
Details
Ali Hussein
Released: October 11, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
==andcontains