Forum Discussion

StarScream's avatar
StarScream
Copper Contributor
Mar 17, 2023

Hunting suspicious PowerShell activity in Defender

Hello Defender 365 Communitiy.   I'm looking for information how PowerShell cmdlets and scripts being monitored and captured by Defender ATP. I did not find any clear answer, but my assumption is t...
threat hunting
BillTheKid's avatar
BillTheKid
Brass Contributor
Mar 29, 2023

For process creation events use MDE table: DeviceProcessEvents with ActionType: ProcessCreated and look for e.g. FileName = powershell.exe | powershell_ise.exe | pwsh.exe to find powershell being started/using one-liners. Documentation is at: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide
InitiatingProcessCommandLine -> Command line used to run the process that initiated the event
ProcessCommandLine -> Command line used to create the new process

For PowerShell cmdlets events use MDE table: DeviceEvents with ActionType: PowerShellCommand. Note: For PowerShell no ScriptBlockLogging and ModuleLogging telemetry is available in MDE :-(. It's really only CmdLets, which is mostly useless, as attackers can simply rename these. Documentation is at https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide 

Resources