Mar 17 2023 05:22 AM
Hello Defender 365 Communitiy.
I'm looking for information how PowerShell cmdlets and scripts being monitored and captured by Defender ATP. I did not find any clear answer, but my assumption is that MsSenses.exe service oversee processes like PowerShell and report all activity to Defender. During my investigation I found PS scripts being ingested to DeviceEvents and DeviceEvents of Defende Schema, but when I perform simple test runing "hostname" PS command I found it device timeline but I'm not able to hunt it down in above tables using AH feature. What do I miss? I identified two columns where commands being parsed: ProcessCommandLine and InitiatingProcessCommandLine but have no clue what is difference between them.
Any good article that may enlight me will be more that appreciated.
Mar 17 2023 05:52 AM
Mar 20 2023 01:43 PM
Mar 29 2023 12:45 PM - edited Mar 29 2023 12:46 PM
For process creation events use MDE table: DeviceProcessEvents with ActionType: ProcessCreated and look for e.g. FileName = powershell.exe | powershell_ise.exe | pwsh.exe to find powershell being started/using one-liners. Documentation is at: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocesseven...
InitiatingProcessCommandLine -> Command line used to run the process that initiated the event
ProcessCommandLine -> Command line used to create the new process
For PowerShell cmdlets events use MDE table: DeviceEvents with ActionType: PowerShellCommand. Note: For PowerShell no ScriptBlockLogging and ModuleLogging telemetry is available in MDE :-(. It's really only CmdLets, which is mostly useless, as attackers can simply rename these. Documentation is at https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-tabl...