I was testing if I was able to detect various PowerShell Commands in the Advanced Hunting and this was the result:
Via Windows Powershell CommandLine I executed:
(Invoke-Webrequest -Uri "https://openphish.com/feed.txt").Content
Invoke-Expression -Command "(Invoke-Webrequest -Uri `"https://openphish.com/feed.txt`").Content"
The same I executed via the cmd.exe ->calling powershell > same requests
Within the Advanced Query Page I have:
DeviceEvents
| where ActionType == "PowerShellCommand"
| extend PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string))
| where PowershellCommand startswith "Invoke-WebRequest"
Result:
InitiatingProcessFolderPath: "c:\windows\system32\windowspowershell\v1.0\powershell.exe"
InitiatingProcessCommandLine: "powershell.exe"
AdditionalFields, Command Key: "Invoke-WebRequest"
I cannot find any information what the Parameters of the Invoke-* Methods have been. Meaning I only see that there was a Invoke-WebRequest and Invoke-Expression Command executed, but I cannot see with which parameters, respectively, I dont see the -Uri Parameter (-Uri "https://openphish.com/feed.txt").Content) Information.
Is this work as designed or is there a configuration to be enabled in order to see the full powershell command line?
