First off, let's talk about Advanced Hunting. AH uses a language that internally we call Kusto but we’ve now offer Kusto to the public where it's called “Application Insights Analytics”.
With advanced hunting, we can proactively search and investigate across all your organization’s data. You can query for all kinds of things like query process creation events, network communication events, and yes, even PowerShell events.
Let's get started. I'm assuming you have a WDATP environment to work from (if not, get the trial here) and that you know how to log in (go to https:\\securitycenter.microsoft.com).
Once you're there, select the icon circled in red below.
You can see the Schema properties, along the left hand side of the screen.
Let's start by using the Schema property of ProcessCreationEvents
Here is our full Query.
We are searching for ProcessCreationEvents where the InititaingProcessFileName is like (= ~) "powershell.exe" and the InitiatingProcessCommandLine "contains" the three letters "enc" for encoded. We could have queried for the InitiatingProcessCommandLine to have been exactly equal to (= =) "encoded" but that returns no data since that isn't the exact command. For our purposes here, the "contains" command works best.
The project command selects the columns to include if you have specific ones you would like. We could have left this blank and we would have returned the default columns.
Now for the fun part. Select Run and here is what we get.
We now have a list of all the times PowerShell has been run with the -EncodedCommand. We can now click on the ComputerName and be taken directly to the machine so we can do more research.
There are so many cool things we can do with Advanced Hunting. Come on back and we'll look at some other queries soon.
