Forum Discussion

CurlX2305's avatar
CurlX2305
Copper Contributor
Aug 27, 2022

Advanced Hunting Query Powershell Command Line

I was testing if I was able to detect various PowerShell Commands in the Advanced Hunting and this was the result:

 

Via Windows Powershell CommandLine I executed:

(Invoke-Webrequest -Uri "https://openphish.com/feed.txt").Content
Invoke-Expression -Command "(Invoke-Webrequest -Uri `"https://openphish.com/feed.txt`").Content"

The same I executed via the cmd.exe ->calling powershell > same requests

 

Within the Advanced Query Page I have:

DeviceEvents
| where ActionType == "PowerShellCommand"
| extend PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string))
| where PowershellCommand startswith "Invoke-WebRequest"

Result:

InitiatingProcessFolderPath:  "c:\windows\system32\windowspowershell\v1.0\powershell.exe"
InitiatingProcessCommandLine:  "powershell.exe"
AdditionalFields, Command Key: "Invoke-WebRequest"


I cannot find any information what the Parameters of the Invoke-* Methods have been. Meaning I only see that there was a Invoke-WebRequest and Invoke-Expression Command executed, but I cannot see with which parameters,  respectively, I dont see the -Uri Parameter (-Uri "https://openphish.com/feed.txt").Content) Information. 

 

Is this work as designed or is there a configuration to be enabled in order to see the full powershell command line?

 

  • CurlX2305

     

    You will need to enable Powershell script block logging via GPO to see the full commands that were run

    • Julian's avatar
      Julian
      Brass Contributor

      PeterJ_Inobits 

      Are you sure about this - will the log config on the endpoint decide what is logged in Device*-tables in Advanced hunting?

  • Dutchboy's avatar
    Dutchboy
    Copper Contributor
    this is because the actiontype is detected after the command successfully executed not while its being called.
    Try the below, as a workaround, you might need to filter based on events , but power shell which has a invoke web request needs to be checked.

    DeviceProcessEvents
    | where FileName =~ "powershell.exe" or InitiatingProcessFileName =~"powershell.exe"
    | where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-Expression", "uri")

Resources