It should be ProcessCommandLine instead of InitiatingProcessCommandLine for recon processes spawned by injected parent processes
DeviceProcessEvents
| where InitiatingProcessFileName in~('mobsync.exe','explorer.exe')
| where (FileName =~ 'net.exe' and ProcessCommandLine has_all('view','/all'))
or (FileName =~ 'whoami.exe' and ProcessCommandLine has '/all')
or (FileName =~ 'nslookup.exe' and ProcessCommandLine has_all('querytype=ALL','timeout=10'))
or (FileName =~ 'netstat.exe' and ProcessCommandLine has '-nao')
or (FileName =~ 'arp.exe' and ProcessCommandLine has '-a')
or (FileName =~ 'ping.exe' and ProcessCommandLine has '-t' and ProcessCommandLine endswith '127.0.0.1')
| summarize DiscoveryCommands = dcount(ProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where DiscoveryCommands >= 3
It should be ProcessCommandLine instead of InitiatingProcessCommandLine for recon processes spawned by injected parent processes
DeviceProcessEvents | where InitiatingProcessFileName in~('mobsync.exe','explorer.exe') | where (FileName =~ 'net.exe' and ProcessCommandLine has_all('view','/all')) or (FileName =~ 'whoami.exe' and ProcessCommandLine has '/all') or (FileName =~ 'nslookup.exe' and ProcessCommandLine has_all('querytype=ALL','timeout=10')) or (FileName =~ 'netstat.exe' and ProcessCommandLine has '-nao') or (FileName =~ 'arp.exe' and ProcessCommandLine has '-a') or (FileName =~ 'ping.exe' and ProcessCommandLine has '-t' and ProcessCommandLine endswith '127.0.0.1') | summarize DiscoveryCommands = dcount(ProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where DiscoveryCommands >= 3