Forum Discussion
Hunting suspicious PowerShell activity in Defender
Hello Defender 365 Communitiy. I'm looking for information how PowerShell cmdlets and scripts being monitored and captured by Defender ATP. I did not find any clear answer, but my assumption is t...
Rod_Trent
Microsoft
MicrosoftHere's a couple KQL queries that may help explain it and the tables the information comes from...
https://github.com/rod-trent/SentinelKQL/blob/master/PowerShellExecutionwithDownload.txt
https://github.com/rod-trent/SentinelKQL/blob/master/PowerShellExecutionwithDownload.txt
Hi Rod, this is helpful but in my opinion you should also search keywords in InitiatingProcessCommandLine column of both tables. My analysis showed that depends how you run PS command Defender write it differently to the table. Still I was not able to hunt simle "hostname" command