cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Hunting suspicious PowerShell activity in Defender

StarScream
Copper Contributor

‎Mar 17 2023 05:22 AM

‎Mar 17 2023 05:22 AM

Hunting suspicious PowerShell activity in Defender

Hello Defender 365 Communitiy.

 

I'm looking for information how PowerShell cmdlets and scripts being monitored and captured by Defender ATP. I did not find any clear answer, but my assumption is that MsSenses.exe service oversee processes like PowerShell and report all activity to Defender. During my investigation I found PS scripts being ingested to DeviceEvents and DeviceEvents of Defende Schema, but when I perform simple test runing "hostname" PS command I found it device timeline but I'm not able to hunt it down in above tables using AH feature. What do I miss? I identified two columns where commands being parsed: ProcessCommandLine and InitiatingProcessCommandLine but have no clue what is difference between them.
Any good article that may enlight me will be more that appreciated.

Labels:
3,901 Views
0 Likes
3 Replies
Reply
3 Replies
Rod_Trent

‎Mar 17 2023 05:52 AM

‎Mar 17 2023 05:52 AM

Re: Hunting suspicious PowerShell activity in Defender

Here's a couple KQL queries that may help explain it and the tables the information comes from...

https://github.com/rod-trent/SentinelKQL/blob/master/PowerShellExecutionwithDownload.txt
0 Likes
Reply
StarScream

‎Mar 20 2023 01:43 PM

‎Mar 20 2023 01:43 PM

Re: Hunting suspicious PowerShell activity in Defender

Hi Rod, this is helpful but in my opinion you should also search keywords in InitiatingProcessCommandLine column of both tables. My analysis showed that depends how you run PS command Defender write it differently to the table. Still I was not able to hunt simle "hostname" command
0 Likes
Reply
BillTheKid

‎Mar 29 2023 12:45 PM - edited ‎Mar 29 2023 12:46 PM

‎Mar 29 2023 12:45 PM - edited ‎Mar 29 2023 12:46 PM

Re: Hunting suspicious PowerShell activity in Defender

For process creation events use MDE table: DeviceProcessEvents with ActionType: ProcessCreated and look for e.g. FileName = powershell.exe | powershell_ise.exe | pwsh.exe to find powershell being started/using one-liners. Documentation is at: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocesseven...
InitiatingProcessCommandLine -> Command line used to run the process that initiated the event
ProcessCommandLine -> Command line used to create the new process

For PowerShell cmdlets events use MDE table: DeviceEvents with ActionType: PowerShellCommand. Note: For PowerShell no ScriptBlockLogging and ModuleLogging telemetry is available in MDE :-(. It's really only CmdLets, which is mostly useless, as attackers can simply rename these. Documentation is at https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-tabl... 

0 Likes
Reply