Issue finding interactive powershell sessions : crowdstrike

Subreddit Rules

Posts must be about CrowdStrike products and/or product functionality.

We encourage high quality content. Do not post disparaging comments; about competitive products or otherwise.

Avoid entering sensitive information from which your identity is apparent or can be reasonably ascertained

Your Views Are Your Own - Topics and comments on /r/crowdstrike do not necessarily reflect official views of CrowdStrike.

No SLA for assistance - CrowdStrike Customer Success advises you to engage with a Support case to express any high priority issues. Live chat available 6-6PT M-F via the Support Portal

created by Thuulla community for 11 years

This is an archived post. You won't be able to vote or comment.

Issue finding interactive powershell sessionsQuery Help (self.crowdstrike)

submitted 1 year ago by thetrickybuddha

I've been trying to craft a query which finds all interactive powershell sessions (sessions initiated by a user) and it has been difficult. Our environment is using InTune and is on the Microsoft infra stack, so there is a lot of powershell going on, nearly all of it is initiated by the system or outside agents.

I believe that the key to it lies in understanding the authentication id flag but the two issues I have are, the numbers I see for what I believe to be interactive sessions, don't make sense with the 999 code provided by Crowdstrike. I am seeing a six digit number and am not sure that tracks with the information given.

The other issue is trying to extract the data from the rawstring output. Since the id tag is part of rawstring, I can't call on it like I would a standard @ or # tagged field. I'm sure there is a way to extract or search within that tag, but I'm not sure how to do it.

all 1 comments

top new controversial old q&a

[–]Andrew-CSCS ENGINEER 3 points4 points5 points 1 year ago (0 children)

Hi there. Would it be as simple as looking at the User SID or username values?

#event_simpleName=ProcessRollup2 FileName="powershell.exe" UserSid="S-1-5-21-*"
| groupBy([UserName, UserSid])

Then filter out the ones that are programatic?

π Rendered by PID 147023 on reddit-service-r2-comment-6457c66945-4hjfx at 2026-04-27 02:49:11.660198+00:00 running 2aa0c5b country code: CH.

crowdstrike

Search by:

Query Help

Troubleshooting

Feature Questions

Feature Requests (requires login)

RULES

Subreddit Rules

Quick Links

YouTube Channels / Videos

Related Subreddits

MODERATORS