nathanmcnulty/EdgeWDAC-MDEKQL.txt

## EdgeWDAC-MDEKQL.txt
DeviceProcessEvents
| where FileName in ("AT.EXE","bash.exe","BitLockerWizard.exe","BitLockerWizardElev.exe","Bubbles","calc.exe","CDB.Exe","CertUtil.exe","charmap.exe","CLEANMGR.DLL","ClientConsole.EXE","Cmd.Exe","CMDL32.EXE","colorcpl.exe","ComputerDefaults.EXE","CONTROL.EXE","Credwiz.exe","CryptExt.dll","Csc.Exe","cscript.exe","csi.Exe","dccw.exe","DeviceEject.EXE","DeviceParing.exe","DeviceParing.exe","DeviceProperties.exe","dfshim.dll","DIALER.EXE","DISKPERF.EXE","dnx.Exe","DOSKEY.EXE","dsquery.dll","dvdplay","eventvwr.exe","expand","FC.EXE","FIND.EXE","FINDSTR.EXE","finger.exe","FONTVIEW.EXE","forfiles.exe","format.com","fsi.exe","FXSSVC.EXE","gprslt.exe","GPSCRIPT.EXE","GPUpdate.exe","Help.Exe","HH.exe","HWRREG.EXE","iexplore.exe","infdefaultinstall.exe","irftp.exe","iscsicli.exe","iscsicpl.exe","ISOBURN.EXE","Journal.exe","kd.Exe","LaunchTM.exe","lxrun.exe","lxssmanager.dll","lxssmanager.exe","manage-bde.exe","mip.exe","mmc.exe","mobsync.exe","MORE.COM","MSBuild.Exe","msconfig.EXE","msdt.exe","mshta.exe","msiexec.exe","mspaint.exe","msra.exe","MSRATING.DLL","mstsc.exe","Mystify","nbtinfo.exe","NETPLWIZ.EXE","netstat.exe","nslookup.exe","ntprint.exe","ntsd.Exe","odbcad32.exe","odbcconf.exe","OneDriveSetup.exe","OpenWith.exe","OptionalFeatures.EXE","pcalua.exe","pcaui.exe","pcwrun.exe","phoneactivate.exe","PhotoScreensaver.scr.mui","PhotoViewer.dll","ping.exe","PnPutil.exe","PowerCfg.exe","powershell.exe","powershellcustomhost.exe","powershell_ise.exe","PresentationHost.exe","Print.Exe","PrintBrmUi.exe","printui.exe","proquota.exe","psr.exe","Pwcreator.exe","Pwlauncher.exe","qappsrv.exe","qprocess.exe","query.exe","QuickAssist.exe","quser.exe","qwinsta.exe","RASDIAL.EXE","rasdlui.exe","raserver.exe","rasphone.exe","rcsi.Exe","regedit.exe","regedt32.exe","regini.exe","REPLACE.EXE","reset.exe","resmon.exe","Ribbons","robocopy.exe","route.exe","RpcPing.exe","rrinstaller.exe","RUNAS.EXE","RunLegacyCPLElevated.EXE","RUNONCE.EXE","runscripthelper.exe","samlock.exe","schtasks.exe","ScriptRunner.exe","scrnsave","sdbinst.exe","sdchange.exe","sdclt.exe","SessionMsg.exe","SetupPrep.exe","shrpubw.exe","SndVol.exe","SnippingTool.exe","SpaceAgent.exe","SSystemPropertiesProtection.EXE","StikyNot.exe","SystemPropertiesAdvanced.EXE","SystemPropertiesComputerName.EXE","SystemPropertiesDataExecutionPrevention.EXE","SystemPropertiesHardware.EXE","SystemPropertiesPerformance.EXE","SystemPropertiesRemote.EXE","Taskmgr.exe","TCMSETUP.EXE","Text3D","unregmp2.exe","WAB.EXE","wbemtest.exe","WIAACMGR.EXE","windbg.Exe","WINHLP32.EXE","WinSAT.exe","wksprt.exe","WmiApSrv.exe","wmic.exe","wmicookr.dll","wmplayer.exe","WorkFolders.exe","WpcMon.exe","write","wscript.exe","wsl.exe","wslconfig.exe","wslhost.exe","XCOPY.EXE","xpsrchvw.exe")
| summarize  count() by FileName
| sort by count_
	DeviceProcessEvents
	\| where FileName in ("AT.EXE","bash.exe","BitLockerWizard.exe","BitLockerWizardElev.exe","Bubbles","calc.exe","CDB.Exe","CertUtil.exe","charmap.exe","CLEANMGR.DLL","ClientConsole.EXE","Cmd.Exe","CMDL32.EXE","colorcpl.exe","ComputerDefaults.EXE","CONTROL.EXE","Credwiz.exe","CryptExt.dll","Csc.Exe","cscript.exe","csi.Exe","dccw.exe","DeviceEject.EXE","DeviceParing.exe","DeviceParing.exe","DeviceProperties.exe","dfshim.dll","DIALER.EXE","DISKPERF.EXE","dnx.Exe","DOSKEY.EXE","dsquery.dll","dvdplay","eventvwr.exe","expand","FC.EXE","FIND.EXE","FINDSTR.EXE","finger.exe","FONTVIEW.EXE","forfiles.exe","format.com","fsi.exe","FXSSVC.EXE","gprslt.exe","GPSCRIPT.EXE","GPUpdate.exe","Help.Exe","HH.exe","HWRREG.EXE","iexplore.exe","infdefaultinstall.exe","irftp.exe","iscsicli.exe","iscsicpl.exe","ISOBURN.EXE","Journal.exe","kd.Exe","LaunchTM.exe","lxrun.exe","lxssmanager.dll","lxssmanager.exe","manage-bde.exe","mip.exe","mmc.exe","mobsync.exe","MORE.COM","MSBuild.Exe","msconfig.EXE","msdt.exe","mshta.exe","msiexec.exe","mspaint.exe","msra.exe","MSRATING.DLL","mstsc.exe","Mystify","nbtinfo.exe","NETPLWIZ.EXE","netstat.exe","nslookup.exe","ntprint.exe","ntsd.Exe","odbcad32.exe","odbcconf.exe","OneDriveSetup.exe","OpenWith.exe","OptionalFeatures.EXE","pcalua.exe","pcaui.exe","pcwrun.exe","phoneactivate.exe","PhotoScreensaver.scr.mui","PhotoViewer.dll","ping.exe","PnPutil.exe","PowerCfg.exe","powershell.exe","powershellcustomhost.exe","powershell_ise.exe","PresentationHost.exe","Print.Exe","PrintBrmUi.exe","printui.exe","proquota.exe","psr.exe","Pwcreator.exe","Pwlauncher.exe","qappsrv.exe","qprocess.exe","query.exe","QuickAssist.exe","quser.exe","qwinsta.exe","RASDIAL.EXE","rasdlui.exe","raserver.exe","rasphone.exe","rcsi.Exe","regedit.exe","regedt32.exe","regini.exe","REPLACE.EXE","reset.exe","resmon.exe","Ribbons","robocopy.exe","route.exe","RpcPing.exe","rrinstaller.exe","RUNAS.EXE","RunLegacyCPLElevated.EXE","RUNONCE.EXE","runscripthelper.exe","samlock.exe","schtasks.exe","ScriptRunner.exe","scrnsave","sdbinst.exe","sdchange.exe","sdclt.exe","SessionMsg.exe","SetupPrep.exe","shrpubw.exe","SndVol.exe","SnippingTool.exe","SpaceAgent.exe","SSystemPropertiesProtection.EXE","StikyNot.exe","SystemPropertiesAdvanced.EXE","SystemPropertiesComputerName.EXE","SystemPropertiesDataExecutionPrevention.EXE","SystemPropertiesHardware.EXE","SystemPropertiesPerformance.EXE","SystemPropertiesRemote.EXE","Taskmgr.exe","TCMSETUP.EXE","Text3D","unregmp2.exe","WAB.EXE","wbemtest.exe","WIAACMGR.EXE","windbg.Exe","WINHLP32.EXE","WinSAT.exe","wksprt.exe","WmiApSrv.exe","wmic.exe","wmicookr.dll","wmplayer.exe","WorkFolders.exe","WpcMon.exe","write","wscript.exe","wsl.exe","wslconfig.exe","wslhost.exe","XCOPY.EXE","xpsrchvw.exe")
	\| summarize count() by FileName
	\| sort by count_