Last active
June 5, 2021 13:50
-
-
Save alexverboon/ae1c7980fe2fb6897db95e65ae561bfc to your computer and use it in GitHub Desktop.
MDE-CMPivotEvents
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Use the below query to find the Microsoft Endpoint Configuration Manager - CMPivot initiated queries executed on devices | |
// Microsoft Endpoint Configuration Manager | |
DeviceEvents | |
// | where DeviceName == "client01.corp.net" | |
| where ActionType == "PowerShellCommand" | |
| where InitiatingProcessCommandLine contains @"C:\windows\CCM\ScriptStore" | |
| extend pcommand = parse_command_line(InitiatingProcessCommandLine, "windows") | |
| where pcommand contains "-wmiquery" | |
| extend pcommand2 = split(pcommand, "-wmiquery") | |
| mv-expand pcommand2 | |
| where pcommand2 contains "ConvertTo-Json" | |
| extend encoded = replace("E:", "", tostring(pcommand2)) | |
| extend encoded1 = replace("'", "", tostring(split(encoded, "|")[0])) | |
| extend wmiquery = base64_decode_tostring(trim(@'\s*', encoded1)) | |
| summarize by DeviceName, wmiquery |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment