Aug 27 2022 01:50 PM
I was testing if I was able to detect various PowerShell Commands in the Advanced Hunting and this was the result:
Via Windows Powershell CommandLine I executed:
(Invoke-Webrequest -Uri "https://openphish.com/feed.txt").Content
Invoke-Expression -Command "(Invoke-Webrequest -Uri `"https://openphish.com/feed.txt`").Content"
The same I executed via the cmd.exe ->calling powershell > same requests
Within the Advanced Query Page I have:
DeviceEvents
| where ActionType == "PowerShellCommand"
| extend PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string))
| where PowershellCommand startswith "Invoke-WebRequest"
Result:
InitiatingProcessFolderPath: "c:\windows\system32\windowspowershell\v1.0\powershell.exe"
InitiatingProcessCommandLine: "powershell.exe"
AdditionalFields, Command Key: "Invoke-WebRequest"
I cannot find any information what the Parameters of the Invoke-* Methods have been. Meaning I only see that there was a Invoke-WebRequest and Invoke-Expression Command executed, but I cannot see with which parameters, respectively, I dont see the -Uri Parameter (-Uri "https://openphish.com/feed.txt").Content) Information.
Is this work as designed or is there a configuration to be enabled in order to see the full powershell command line?
Aug 28 2022 02:39 AM
Solution
You will need to enable Powershell script block logging via GPO to see the full commands that were run
Dec 02 2022 11:29 AM
Dec 04 2022 08:47 PM
Dec 06 2022 07:57 AM
Feb 18 2024 07:29 AM
Are you sure about this - will the log config on the endpoint decide what is logged in Device*-tables in Advanced hunting?
Aug 28 2022 02:39 AM
Solution
You will need to enable Powershell script block logging via GPO to see the full commands that were run