Forum Discussion
Advanced Hunting Query Powershell Command Line
I was testing if I was able to detect various PowerShell Commands in the Advanced Hunting and this was the result:
Via Windows Powershell CommandLine I executed:
(Invoke-Webrequest -Uri "https://openphish.com/feed.txt").Content
Invoke-Expression -Command "(Invoke-Webrequest -Uri `"https://openphish.com/feed.txt`").Content"
The same I executed via the cmd.exe ->calling powershell > same requests
Within the Advanced Query Page I have:
DeviceEvents
| where ActionType == "PowerShellCommand"
| extend PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string))
| where PowershellCommand startswith "Invoke-WebRequest"
Result:
InitiatingProcessFolderPath: "c:\windows\system32\windowspowershell\v1.0\powershell.exe"
InitiatingProcessCommandLine: "powershell.exe"
AdditionalFields, Command Key: "Invoke-WebRequest"
I cannot find any information what the Parameters of the Invoke-* Methods have been. Meaning I only see that there was a Invoke-WebRequest and Invoke-Expression Command executed, but I cannot see with which parameters, respectively, I dont see the -Uri Parameter (-Uri "https://openphish.com/feed.txt").Content) Information.
Is this work as designed or is there a configuration to be enabled in order to see the full powershell command line?
You will need to enable Powershell script block logging via GPO to see the full commands that were run
- PeterJ_InobitsIron Contributor
You will need to enable Powershell script block logging via GPO to see the full commands that were run
- JulianBrass Contributor
Are you sure about this - will the log config on the endpoint decide what is logged in Device*-tables in Advanced hunting?
- AndyP2000Copper Contributor
- DutchboyCopper Contributorthis is because the actiontype is detected after the command successfully executed not while its being called.
Try the below, as a workaround, you might need to filter based on events , but power shell which has a invoke web request needs to be checked.
DeviceProcessEvents
| where FileName =~ "powershell.exe" or InitiatingProcessFileName =~"powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-Expression", "uri")- AndyP2000Copper Contributor