Hunting suspicious PowerShell activity in Defender

Copper Contributor

Hello Defender 365 Communitiy.


I'm looking for information how PowerShell cmdlets and scripts being monitored and captured by Defender ATP. I did not find any clear answer, but my assumption is that MsSenses.exe service oversee processes like PowerShell and report all activity to Defender. During my investigation I found PS scripts being ingested to DeviceEvents and DeviceEvents of Defende Schema, but when I perform simple test runing "hostname" PS command I found it device timeline but I'm not able to hunt it down in above tables using AH feature. What do I miss? I identified two columns where commands being parsed: ProcessCommandLine and InitiatingProcessCommandLine but have no clue what is difference between them.
Any good article that may enlight me will be more that appreciated.

3 Replies
Here's a couple KQL queries that may help explain it and the tables the information comes from...
Hi Rod, this is helpful but in my opinion you should also search keywords in InitiatingProcessCommandLine column of both tables. My analysis showed that depends how you run PS command Defender write it differently to the table. Still I was not able to hunt simle "hostname" command

For process creation events use MDE table: DeviceProcessEvents with ActionType: ProcessCreated and look for e.g. FileName = powershell.exe | powershell_ise.exe | pwsh.exe to find powershell being started/using one-liners. Documentation is at:
InitiatingProcessCommandLine -> Command line used to run the process that initiated the event
ProcessCommandLine -> Command line used to create the new process

For PowerShell cmdlets events use MDE table: DeviceEvents with ActionType: PowerShellCommand. Note: For PowerShell no ScriptBlockLogging and ModuleLogging telemetry is available in MDE :-(. It's really only CmdLets, which is mostly useless, as attackers can simply rename these. Documentation is at