Query Details

Show the last 100 Powershell executions from a compromised device

MDE Most Recent Powershell Executions By Compromised Device

Query

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where not(AccountSid == "S-1-5-18") // If you suspect that the system user is compromised, remove this filter.
| where InitiatingProcessFileName == "powershell.exe"
| sort by TimeGenerated
| top 100 by TimeGenerated
| project
     TimeGenerated,
     DeviceName,
     ActionType,
     FileName,
     ProcessCommandLine,
     AccountDomain,
     AccountName,
     InitiatingProcessCommandLine

About this query

Show the last 100 Powershell executions from a compromised device


Defender XDR

let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where not(AccountSid == "S-1-5-18") // If you suspect that the system user is compromised, remove this filter.
| where InitiatingProcessFileName == "powershell.exe"
| sort by Timestamp
| top 100 by Timestamp
| project
     Timestamp,
     DeviceName,
     ActionType,
     FileName,
     ProcessCommandLine,
     AccountDomain,
     AccountName,
     InitiatingProcessCommandLine

Sentinel

Explanation

This query is designed to retrieve the last 100 instances of PowerShell being executed on a specific device that is suspected to be compromised. Here's a simple breakdown of what the query does:

  1. Target Device: The query focuses on a device named "laptop.contoso.com", which is believed to be compromised.

  2. Time Frame: It looks at events that occurred within the last 48 hours. This time window can be adjusted by changing the SearchWindow variable.

  3. Event Source: It filters events from the DeviceProcessEvents table, which logs process activities on devices.

  4. Exclusion of System Account: The query excludes events initiated by the system account (AccountSid "S-1-5-18"), unless there's a suspicion that this account might also be compromised.

  5. PowerShell Executions: It specifically looks for processes where the initiating process is "powershell.exe", indicating PowerShell script executions.

  6. Sorting and Limiting Results: The results are sorted by the time they were generated, and only the most recent 100 entries are selected.

  7. Output Details: The query projects (selects) specific details for each event, including:

    • Timestamp of the event
    • Device name
    • Type of action performed
    • Name of the file involved
    • Command line used to execute the process
    • Domain and name of the account that executed the process
    • Command line of the initiating process

This query is useful for security analysts to quickly review recent PowerShell activities on a potentially compromised device, helping them identify suspicious or unauthorized actions.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampNameActionTypeFileCommandLineAccountDomainInitiating

Operators

letago()wherenotsort bytopproject

Actions

GitHub