Advanced Hunting Query Powershell Command Line

New Contributor

I was testing if I was able to detect various PowerShell Commands in the Advanced Hunting and this was the result:


Via Windows Powershell CommandLine I executed:

(Invoke-Webrequest -Uri "").Content
Invoke-Expression -Command "(Invoke-Webrequest -Uri `"`").Content"

The same I executed via the cmd.exe ->calling powershell > same requests


Within the Advanced Query Page I have:

| where ActionType == "PowerShellCommand"
| extend PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string))
| where PowershellCommand startswith "Invoke-WebRequest"


InitiatingProcessFolderPath:  "c:\windows\system32\windowspowershell\v1.0\powershell.exe"
InitiatingProcessCommandLine:  "powershell.exe"
AdditionalFields, Command Key: "Invoke-WebRequest"

I cannot find any information what the Parameters of the Invoke-* Methods have been. Meaning I only see that there was a Invoke-WebRequest and Invoke-Expression Command executed, but I cannot see with which parameters,  respectively, I dont see the -Uri Parameter (-Uri "").Content) Information. 


Is this work as designed or is there a configuration to be enabled in order to see the full powershell command line?


3 Replies
best response confirmed by CurlX2305 (New Contributor)



You will need to enable Powershell script block logging via GPO to see the full commands that were run



Did you ever find a solution to this? 

this is because the actiontype is detected after the command successfully executed not while its being called.
Try the below, as a workaround, you might need to filter based on events , but power shell which has a invoke web request needs to be checked.

| where FileName =~ "powershell.exe" or InitiatingProcessFileName =~"powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-Expression", "uri")