| where ProcessCommandLine has "Net.WebClient", or ProcessCommandLine has "Invoke-WebRequest", or ProcessCommandLine has "Invoke-Shellcode", Only looking for PowerShell events where the used command line is any of the mentioned ones in the query, | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine, Makes sure the outcome only shows EventTime, ComputerName, InitiatingProcessFileName, FileName and ProcessComandLine, Ensures that the records are ordered by the top 100 of the EventTime, Identifying Base64 decoded payload execution. Here are some sample queries and the resulting charts. Image 10: Example query that returns the last 5 rows of ProcessCreationEvents where FileName was powershell.exe or cmd.exe, note this time we are using = which makes it case sensitive and where the outcome is filtered to show you EventTime, ComputerName and ProcessCommandLine.
You will only need to do this once across all repositories using our CLA.
0 kommentar(er)
