I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below
// Find all machines running a given Powersehll cmdlet.
let powershellCommandName = "Invoke-RickAscii";
DeviceEvents
| where ActionType == "PowerShellCommand"
| where AdditionalFields contains powershellCommandNameBut if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below function can do the following:
- Generate a kql query to search for all functions included in the specified PowerShell Module, use this when you have the module already installed.
Or
- Generate a kql query to search for all functions included in the specified PowerShell module manifest file, use this when you have a module that you do not want to necessary load on your device
Below are a few examples how to use the script New-KQPSModuleFunctions (sorry I could not come up with a better name for the function )
And there we have our advanced hunting queries, automatically generated with PowerShell including all the functions included in the NetSecurity PowerShell module
And here the advanced hunting query with all the functions included in the Powersploit module
The code can be found here: https://gist.github.com/alexverboon/9ccf8af7569103397da2b8ba4079529d
That’s it, have a great day
Alex