gpt-5-high

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "netsh.exe" or ProcessCommandLine has "netsh" | extend cmd = tostring(ProcessCommandLine), lc = tolower(tostring(ProcessCommandLine)) | where lc has "wlan" | where lc has "profile" // matches profile or profiles | where lc has_any ("show", "export") | where lc contains "key=clear" or lc matches regex @"key\s*=\s*clear" | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, FolderPath, ProcessId, ProcessCreationTime, ProcessTokenElevation, ProcessIntegrityLevel, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName | order by TimeGenerated desc

let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | where FileName =~ "dd" or ProcessCommandLine matches regex @"(?i)\bdd\b" | where ProcessCommandLine matches regex @"/proc/(?:\d+|self)/mem" // Extract of= argument (optionally double-quoted) | extend of_file = extract(@'(?i)\bof\s*=\s*"?([^ \t";|]+)"?', 1, ProcessCommandLine) // Extract shell redirection target (>, >>, 1>, etc.; optionally double-quoted) | extend redirect_file = extract(@'(?:^|\s)(?:\d?>|>>)\n\s*"?(/[^ \t";|]+)"?', 1, ProcessCommandLine) | extend DumpTargetPath = coalesce(of_file, redirect_file) | where isnotempty(DumpTargetPath) | extend DumpTargetFileName = tostring(split(DumpTargetPath, "/")[array_length(split(DumpTargetPath, "/")) - 1]) | project Time=ProcessCreationTime, DeviceName, AccountName, ProcessId, CommandLine=ProcessCommandLine, DumpTargetPath, DumpTargetFileName | order by Time desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("cmdkey.exe", "vaultcmd.exe") | where isnotempty(ProcessCommandLine) and ( ProcessCommandLine contains "/list" or // cmdkey /list (or -list) ProcessCommandLine contains " /l" or // cmdkey /l (short form) ProcessCommandLine contains "-list" or // alternate switch form ProcessCommandLine contains "/listcreds" // vaultcmd listing creds ) | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ExactCommand = ProcessCommandLine | order by TimeGenerated desc

let linux_devices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, DeviceName, OSPlatform, MachineGroup; DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (linux_devices) on DeviceId | where ( // systemctl variants that list services (tolower(FileName) == "systemctl" and ( ProcessCommandLine has "list-units" or ProcessCommandLine has "list-unit-files" or ProcessCommandLine has "--type=service" or ProcessCommandLine has "-t service" or ProcessCommandLine has "--type service" or ProcessCommandLine has " -a" // default action (list-units) with all or ProcessCommandLine has " --all" )) or // SysV service enumeration (tolower(FileName) == "service" and ProcessCommandLine has "--status-all") or // chkconfig list (tolower(FileName) == "chkconfig" and ProcessCommandLine has "--list") or // Upstart list (tolower(FileName) == "initctl" and ProcessCommandLine has "list") or // OpenRC (tolower(FileName) == "rc-update" and ProcessCommandLine has "show") or (tolower(FileName) == "rc-service" and (ProcessCommandLine has " -l" or ProcessCommandLine has " --list")) or (tolower(FileName) == "rc-status") or // runit (tolower(FileName) == "sv" and ProcessCommandLine has "status") ) | extend MatchHint = case( tolower(FileName) == "systemctl" and ProcessCommandLine has "list-units", "systemctl list-units", tolower(FileName) == "systemctl" and ProcessCommandLine has "list-unit-files", "systemctl list-unit-files", tolower(FileName) == "systemctl" and (ProcessCommandLine has "--type=service" or ProcessCommandLine has "-t service" or ProcessCommandLine has "--type service"), "systemctl --type=service", tolower(FileName) == "systemctl" and (ProcessCommandLine has " -a" or ProcessCommandLine has " --all"), "systemctl -a/--all", tolower(FileName) == "service" and ProcessCommandLine has "--status-all", "service --status-all", tolower(FileName) == "chkconfig" and ProcessCommandLine has "--list", "chkconfig --list", tolower(FileName) == "initctl" and ProcessCommandLine has "list", "initctl list", tolower(FileName) == "rc-update" and ProcessCommandLine has "show", "rc-update show", tolower(FileName) == "rc-service" and (ProcessCommandLine has " -l" or ProcessCommandLine has " --list"), "rc-service -l/--list", tolower(FileName) == "rc-status", "rc-status", tolower(FileName) == "sv" and ProcessCommandLine has "status", "sv status", "other") | project Timestamp, DeviceName, AccountName, AccountUpn, FileName, ProcessCommandLine, MatchHint, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, InitiatingProcessId, MachineGroup | order by Timestamp desc

// Optional: set a specific Linux host to focus the results (leave empty to return all Linux hosts) let targetHost = ""; let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, DeviceName; // Network evidence: ICMP destination captured as RemoteIP let PingNet = DeviceNetworkEvents | where InitiatingProcessFileName in~ ("ping", "ping6") | where isnotempty(RemoteIP) | project DeviceId, TimeGenerated, PingTargetIP = RemoteIP, PingCmd = tostring(InitiatingProcessCommandLine), Source = "DeviceNetworkEvents" | join kind=inner (LinuxDevices) on DeviceId | project TimeGenerated, DeviceId, DeviceName, PingTargetIP, PingCmd, Source; // Process evidence: extract IPv4/IPv6 literal from ping command line (regex avoids lookbehind/lookahead) let PingProc = DeviceProcessEvents | where FileName in~ ("ping", "ping6") | join kind=inner (LinuxDevices) on DeviceId | extend TargetIPv4 = extract(@"(^|[^0-9])((25[0-5]|2[0-4]\d|1?\d{1,2})(\.(25[0-5]|2[0-4]\d|1?\d{1,2})){3})", 2, tostring(ProcessCommandLine)) | extend TargetIPv6 = extract(@"(([A-Fa-f0-9]{1,4}:){1,7}[A-Fa-f0-9]{0,4})", 1, tostring(ProcessCommandLine)) | extend PingTargetIP = tostring(coalesce(TargetIPv4, TargetIPv6)) | where isnotempty(PingTargetIP) | project TimeGenerated, DeviceId, DeviceName, PingTargetIP, PingCmd = ProcessCommandLine, Source = "DeviceProcessEvents"; union PingNet, PingProc | where isempty(targetHost) or DeviceName == targetHost | extend IPVersion = iff(indexof(PingTargetIP, ":") >= 0, "IPv6", "IPv4") | order by TimeGenerated desc

let PowerShellCmds = DeviceEvents | where ActionType has "PowerShell" | extend Command = tostring(coalesce(AdditionalFields.Command, AdditionalFields.ScriptCommand, AdditionalFields.ScriptContent, AdditionalFields.ScriptName)) | where isnotempty(Command) | extend Cmdlet = case( Command matches regex @"(?i)\b(?:test-netconnection|tnc)\b", "Test-NetConnection", Command matches regex @"(?i)\btest-connection\b", "Test-Connection", "" ) | where Cmdlet != "" // Ensure it was a port 445 check (SMB) | where Command matches regex @"(?i)(?:-port\s*=?\s*445|-tcpport\s*=?\s*445|-CommonTCPPort\s+SMB|:445\b)" | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, Cmdlet, Command, Source="DeviceEvents"; let PowerShellProc = DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") | where isnotempty(ProcessCommandLine) | extend Cmdlet = case( ProcessCommandLine matches regex @"(?i)\b(?:test-netconnection|tnc)\b", "Test-NetConnection", ProcessCommandLine matches regex @"(?i)\btest-connection\b", "Test-Connection", "" ) | where Cmdlet != "" // Ensure it was a port 445 check (SMB) | where ProcessCommandLine matches regex @"(?i)(?:-port\s*=?\s*445|-tcpport\s*=?\s*445|-CommonTCPPort\s+SMB|:445\b)" | project TimeGenerated, DeviceName, AccountName, Cmdlet, Command=ProcessCommandLine, Source="DeviceProcessEvents"; union PowerShellCmds, PowerShellProc | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Samples=make_set(Command, 3) by DeviceName, AccountName, Cmdlet | order by LastSeen desc

let ShadowRedirects = DeviceProcessEvents | join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId | where OSPlatform =~ "Linux" | where ActionType == "ProcessCreated" | where ProcessCommandLine has "/etc/shadow" and (ProcessCommandLine contains '>' or ProcessCommandLine has 'tee') // Extract redirection targets: >, >>, 1>, 1>> with optional quotes | extend redirect_dq = extract(@'(?:(?:^|[\s;|&]))(?:\d?>{1,2})\s*"(.*?)"', 1, ProcessCommandLine) | extend redirect_sq = extract(@'(?:(?:^|[\s;|&]))(?:\d?>{1,2})\s*''([^'']+)''', 1, ProcessCommandLine) | extend redirect_uq = extract(@'(?:(?:^|[\s;|&]))(?:\d?>{1,2})\s*([^\s;|&]+)', 1, ProcessCommandLine) // Extract tee target (first non-option arg after tee) | extend tee_dq = extract(@'\btee\b\s+(?:-[A-Za-z-]+\s+)*"(.*?)"', 1, ProcessCommandLine) | extend tee_sq = extract(@'\btee\b\s+(?:-[A-Za-z-]+\s+)*''([^'']+)''', 1, ProcessCommandLine) | extend tee_uq = extract(@'\btee\b\s+(?:-[A-Za-z-]+\s+)*([^\s;|&]+)', 1, ProcessCommandLine) | extend OutputPath = coalesce(redirect_dq, redirect_sq, redirect_uq, tee_dq, tee_sq, tee_uq) | where isnotempty(OutputPath) // Elevated process heuristics | where tolower(AccountName) == "root" or tolower(InitiatingProcessAccountName) == "root" or tostring(ProcessTokenElevation) =~ "Elevated" or tostring(InitiatingProcessTokenElevation) =~ "Elevated" or ProcessCommandLine has "sudo " or ProcessCommandLine has "su -c" | extend OutputFileName = tostring(extract(@'([^/\\]+)$', 1, OutputPath)) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, ProcessCommandLine, OutputPath, OutputFileName; // Report the file name(s) used to store results ShadowRedirects | summarize Events=count(), Devices=dcount(DeviceId), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by OutputFileName, OutputPath | order by LastSeen desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where isnotempty(ProcessCommandLine) | where ( (FileName =~ "arp.exe" or ProcessCommandLine matches regex @"(?i)\barp(\.exe)?\b") and ProcessCommandLine matches regex @"(?i)\s-(a|g)\b" ) or ( (FileName =~ "netsh.exe" or ProcessCommandLine matches regex @"(?i)\bnetsh(\.exe)?\b") and ProcessCommandLine matches regex @"(?i)\binterface\s+(ip|ipv4)\s+show\s+neighbors?\b" ) | project Timestamp, DeviceName, AccountDomain, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Executions=count() by DeviceName, AccountDomain, AccountName, ProcessCommandLine | order by LastSeen desc

let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId; let syslog_cmds = DeviceEvents | where ActionType has "Syslog" | join kind=leftsemi (LinuxDevices) on DeviceId | extend msg = coalesce(tostring(AdditionalFields.SyslogMessage), tostring(AdditionalFields.Message), tostring(AdditionalFields.msg), tostring(AdditionalFields.original_message), tostring(AdditionalFields.raw)) | where isnotempty(msg) | extend Utility = extract(@"(?i)\b(ss|netstat|lsof|cat)\b", 1, msg) | where isnotempty(Utility) | where msg matches regex @"(?i)(\bnetstat\b.*(-t|--tcp|-an)|\bss\b.*(-t|--tcp)|\blsof\b.*(-i\s*(tcp|TCP)|-iTCP)|/proc/net/tcp(6)?)" | project TimeGenerated, DeviceId, DeviceName, Utility = tolower(Utility), Source = "Syslog", Content = msg; let proc_cmds = DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=leftsemi (LinuxDevices) on DeviceId | where FileName in~ ("ss","netstat","lsof","cat") or ProcessCommandLine matches regex @"(?i)\b(ss|netstat|lsof|cat)\b" | where ProcessCommandLine matches regex @"(?i)(\bnetstat\b.*(-t|--tcp|-an)|\bss\b.*(-t|--tcp)|\blsof\b.*(-i\s*(tcp|TCP)|-iTCP)|/proc/net/tcp(6)?)" | extend Utility = case(FileName =~ "cat" and ProcessCommandLine contains "/proc/net/tcp", "cat", tolower(FileName)) | project TimeGenerated, DeviceId, DeviceName, Utility, Source = "Process", Content = ProcessCommandLine; union syslog_cmds, proc_cmds | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), SampleContent = arg_max(TimeGenerated, Content) by DeviceId, DeviceName, Utility | order by LastSeen desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // Cmdlet that formats/displays raw bytes | where ProcessCommandLine has_any ("format-hex", "fhx") // Evidence of DOS device path usage (boot sector/raw volume access) | where ProcessCommandLine matches regex @'(?i)\\\\\.\\(physicaldrive\d+|[a-z]:|harddisk\d+\\partition\d+|globalroot\\device\\harddisk\d+(\\partition\d+)?)' | extend UsedCmdlet = extract(@'(?i)\b(format-hex|fhx)\b', 1, ProcessCommandLine) | extend DosDeviceTarget = extract(@'(?i)(\\\\\.\\(?:physicaldrive\d+|[a-z]:|harddisk\d+\\partition\d+|globalroot\\device\\harddisk\d+(?:\\partition\d+)?))', 1, ProcessCommandLine) | summarize EventCount = count(), Devices = dcount(DeviceId), Accounts = dcount(AccountSid), SampleCommands = make_set(ProcessCommandLine, 5), SampleTargets = make_set(DosDeviceTarget, 5) by UsedCmdlet | order by EventCount desc

let ping_loop_regex = @"\bfor\s+/(l|f)\b[^\r\n]*\bdo\b[^\r\n]*\bping\b|\bset\s+/a\b[^\r\n]*&[^\r\n]*\bping\b[^\r\n]*&[^\r\n]*\bgoto\b"; DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "cmd.exe" | where isnotempty(ProcessCommandLine) | extend pcl = tolower(ProcessCommandLine) | where pcl has "ping" and (pcl matches regex ping_loop_regex) | project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Executions=count() by DeviceName, AccountDomain, AccountName, ProcessCommandLine | order by LastSeen desc

DeviceProcessEvents | where FileName in~ ("rundll32.exe","procdump.exe","procdump64.exe","werfault.exe","taskmgr.exe","powershell.exe","pwsh.exe","powershell_ise.exe") // Look for common lsass dump indicators | where ProcessCommandLine has_any ("comsvcs.dll","MiniDump","lsass","lsass.exe","procdump",".dmp","-ma") // Decide which command line to parse for the script: PowerShell's own CL or the initiator's CL | extend RawCL = tostring(iif(FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe"), ProcessCommandLine, InitiatingProcessCommandLine)) // Extract a .ps1 path/token, then just the script file name | extend ScriptPath = extract(@'(?i)([^\s"''<>|]+\.ps1)', 1, RawCL) | extend ScriptFile = extract(@'(?i)([^\\/:]+\.ps1)$', 1, ScriptPath) | where isnotempty(ScriptFile) | summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by ScriptFile | order by Count desc, LastSeen desc | take 1 | project ScriptFile

let EncodedCmdRegex = @"(?i)\s-?(?:e|enc|encodedcommand)\b"; let EncodedArgRegex = @"(?i)-(?:e|enc|encodedcommand)\s+['\""]?([A-Za-z0-9+/=]{20,})"; let EncPSEvents = DeviceProcessEvents | where FileName matches regex @"(?i)^(?:powershell(?:\.exe)?|pwsh(?:\.exe)?|powershell_ise(?:\.exe)?)$" | where ProcessCommandLine matches regex EncodedCmdRegex or tolower(ProcessCommandLine) has "[convert]::frombase64string(" or tolower(ProcessCommandLine) has "frombase64string(" | extend EncodedArg = extract(EncodedArgRegex, 1, ProcessCommandLine); EncPSEvents | summarize executions=count(), firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated) by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessSHA256 | order by lastSeen desc

let targetDevice = ""; // optionally set to a specific DeviceName or DeviceId let familiar_host_names = dynamic(["svchost.exe","services.exe","lsass.exe","conhost.exe","spoolsv.exe","rundll32.exe","dllhost.exe","taskhostw.exe","taskhostex.exe","winlogon.exe","smss.exe","csrss.exe","wininit.exe","ctfmon.exe","explorer.exe","searchhost.exe","werfault.exe","sihost.exe"]); DeviceProcessEvents | where ActionType == "ProcessCreated" // Identify the binary as PowerShell (original file) even if renamed | where tolower(ProcessVersionInfoOriginalFileName) in ("powershell.exe","pwsh.exe") or ProcessVersionInfoFileDescription has_cs "Windows PowerShell" or ProcessCommandLine matches regex @"(?i)\b(powershell|pwsh)(\.exe)?\b" // Not from legitimate Windows directories; specifically from user AppData | where tostring(FolderPath) != "" and tolower(FolderPath) contains "\\users\\" and tolower(FolderPath) contains "\\appdata\\" | where not(tolower(FolderPath) startswith "c:\\windows\\system32" or tolower(FolderPath) startswith "c:\\windows\\syswow64") // Optionally scope to a device | where targetDevice == "" or DeviceName =~ targetDevice or DeviceId == targetDevice // Must be masquerading under a familiar Windows host name, not the legit powershell.exe name | where tolower(FileName) != "powershell.exe" and tolower(FileName) in (familiar_host_names) | summarize firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated), execCount=count() by DeviceName, FileName, FolderPath, SHA1 | order by lastSeen desc

let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId; let decodedOutputs = DeviceFileEvents | where DeviceId in (linuxDevices) | where ActionType in ("FileCreated", "FileModified") | where isnotempty(InitiatingProcessCommandLine) | extend ipc = tolower(InitiatingProcessCommandLine), ipf = tolower(InitiatingProcessFileName) | where ipc has "base64" and ( ipc has " -d" or ipc has "--decode" or ipc has " enc -base64 -d" or (ipf == "openssl" and ipc has "-d") ) | extend ScriptPath = iif(isempty(FolderPath), FileName, strcat(FolderPath, iif(FolderPath endswith "/", "", "/"), FileName)) | project DeviceId, DeviceName, DecodeTime=TimeGenerated, ScriptPath, ScriptName=FileName, DecodeProc=InitiatingProcessFileName, DecodeCmd=InitiatingProcessCommandLine; decodedOutputs | join kind=inner ( DeviceProcessEvents | project DeviceId, ExecTime=TimeGenerated, ExecProc=FileName, ExecCmd=ProcessCommandLine ) on DeviceId | where ExecTime >= DecodeTime and ExecTime <= DecodeTime + 2h | where ExecCmd has ScriptPath or (ExecCmd has ScriptName and ExecProc in~ ("bash","sh","zsh","dash","sudo")) | summarize FirstExecTime=min(ExecTime), ExampleExecCmd=arg_min(ExecTime, ExecCmd) by DeviceId, DeviceName, ScriptPath, ScriptName, DecodeTime, DecodeProc, DecodeCmd | project DeviceName, ScriptFilename=ScriptName, ScriptPath, DecodeTime, FirstExecTime, DecodeProcess=DecodeProc, DecodeCmd, ExampleExecCmd | order by FirstExecTime asc

let linux_devices = DeviceInfo | where OSPlatform =~ "Linux" | summarize arg_max(TimeGenerated, *) by DeviceId | project DeviceId; let tcp_metric_cmds = DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (linux_devices) on DeviceId | where tolower(ProcessCommandLine) has "tcp_metrics" or tolower(ProcessCommandLine) has "tcpmetrics" | project DeviceId, DeviceName, TimeGenerated, Pid=ProcessId, ParentPid=InitiatingProcessId, SessionId=CreatedProcessSessionId, UtilityFileName=tolower(FileName), Cmd=ProcessCommandLine; let loopback_filter_cmds = DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (linux_devices) on DeviceId | where tolower(FileName) in~ ("grep","egrep","fgrep","awk","sed") | where ProcessCommandLine matches regex @"(?i)(-v\s+(lo|127\.0\.0\.1)|!/(lo|127\.0\.0\.1)/|/(lo|127\.0\.0\.1)/d)" | project DeviceId, TimeGenerated, FilterPid=ProcessId, FilterParentPid=InitiatingProcessId, FilterSessionId=CreatedProcessSessionId, FilterProc=tolower(FileName), FilterCmd=ProcessCommandLine; let correlated = tcp_metric_cmds | join kind=innerunique (loopback_filter_cmds) on DeviceId | where (ParentPid == FilterParentPid or SessionId == FilterSessionId) and abs(tolong((TimeGenerated - TimeGenerated1)/1s)) <= 120s/1s | project UtilityUsed=UtilityFileName, Cmd, Correlation="WithLoopbackFilter"; let candidates = tcp_metric_cmds | project UtilityUsed=UtilityFileName, Cmd, Correlation="NoFilterObserved"; union correlated, candidates | summarize EventCount=count(), ExampleCommand=any(Cmd) by UtilityUsed, Correlation | order by Correlation asc, EventCount desc

let TempRegex = @"\\Temp(\\|$)"; let rundll = DeviceProcessEvents | where tolower(FileName) == "rundll32.exe" | where ProcessCommandLine contains "comsvcs.dll" and ProcessCommandLine contains "MiniDump" | project DeviceId, DeviceName, Rdl32PID=ProcessId, Rdl32Time=TimeGenerated, Rdl32Cmd=ProcessCommandLine; union isfuzzy=true ( DeviceFileEvents | where ActionType in ("FileCreated", "FileCreated (Local)") | where tolower(InitiatingProcessFileName) == "rundll32.exe" | where InitiatingProcessCommandLine contains "comsvcs.dll" and InitiatingProcessCommandLine contains "MiniDump" | where FolderPath matches regex TempRegex | extend DumpFilePath = strcat(FolderPath, "\\", FileName) | project TimeGenerated, DeviceName, DumpFileName = FileName, DumpFilePath, FileSize, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId ), ( DeviceFileEvents | where ActionType in ("FileCreated", "FileCreated (Local)") | where FolderPath matches regex TempRegex | join kind=innerunique rundll on DeviceId | where InitiatingProcessId == Rdl32PID | where TimeGenerated between (Rdl32Time .. Rdl32Time + 10m) | extend DumpFilePath = strcat(FolderPath, "\\", FileName) | project TimeGenerated, DeviceName, DumpFileName = FileName, DumpFilePath, FileSize, InitiatingProcessCommandLine = Rdl32Cmd, InitiatingProcessFolderPath = "", InitiatingProcessId = Rdl32PID ) | order by TimeGenerated desc

let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId; DeviceFileEvents | where ActionType in~ ("FileModified", "FileCreated") | where isnotnull(FileSize) | join kind=inner (LinuxDevices) on DeviceId | extend Folder = iff(isempty(FolderPath), "", trim_end("/", FolderPath)) | extend FilePath = iff(isempty(Folder), FileName, strcat(Folder, "/", FileName)) | where isnotempty(FilePath) | extend FileKey = strcat(DeviceId, "||", FilePath) | project TimeGenerated, ReportId, DeviceId, DeviceName, FilePath, FileName, FolderPath, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName, FileKey | order by FileKey asc, TimeGenerated asc, ReportId asc | serialize | extend PrevKey = prev(FileKey), PrevSize = tolong(prev(FileSize)) | extend Delta = iif(FileKey == PrevKey and isnotnull(PrevSize), tolong(FileSize) - PrevSize, long(null)) | where Delta == 1 | where isnotempty(InitiatingProcessFileName) | summarize PaddingEvents = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExampleCmd = any(InitiatingProcessCommandLine) by Utility = tolower(InitiatingProcessFileName) | order by PaddingEvents desc, LastSeen desc

let dynamic_tokens = @'(?i)\b(iex|invoke-expression|add-type|scriptblock\s*(?:::|\.)\s*create|(?:system\.)?reflection\.assembly\s*(?:::|\.)\s*load|frombase64string)\b'; let base64_or_obfuscated = @'(?i)(?:-enc(?:odedcommand)?\s+[A-Za-z0-9+/=]{40,}|[A-Za-z0-9+/=]{120,})'; let suspicious_concat = @'(?i)(["'']\s*\+\s*["''])'; let obf_repeat = @'[`^]{3,}'; DeviceProcessEvents | where ActionType == "ProcessCreated" | where isnotempty(ProcessCommandLine) | extend cmd = tostring(ProcessCommandLine) | extend len = strlen(cmd) | extend alnum_len = strlen(replace_regex(cmd, @'[^A-Za-z0-9]', '')) | extend non_ratio = iif(len == 0, 0.0, todouble(len - alnum_len) / todouble(len)) | extend has_dynamic = cmd matches regex dynamic_tokens | extend has_b64 = cmd matches regex base64_or_obfuscated | extend has_concat = cmd matches regex suspicious_concat | extend has_obf_chars = cmd matches regex obf_repeat | extend score = iif(has_dynamic,3,0) + iif(has_b64,3,0) + iif(has_concat,1,0) + iif(has_obf_chars,1,0) + iif(len > 250,1,0) + iif(non_ratio > 0.45,1,0) | where score > 0 | summarize Events=count(), Devices=dcount(DeviceId), LatestTime=max(TimeGenerated), ExampleCommandLine=arg_max(score, cmd) by ProcessName=FileName | order by Events desc, LatestTime desc

let script_indicators = dynamic([".ps1", ".bat", ".cmd", ".vbs", ".js", "wscript.exe", "cscript.exe", "powershell.exe", "cmd.exe", " /c ", " -file "]); let svc_mods = DeviceEvents | where ActionType in ("ServiceInstalled","ServiceCreated","ServiceRegistered","ServiceModified","ServiceConfigurationChanged") | extend svcName = tostring(AdditionalFields.ServiceName), svcDisp = tostring(AdditionalFields.ServiceDisplayName), imgPath = tolower(coalesce(tostring(AdditionalFields.NewBinaryPathName), tostring(AdditionalFields.BinaryPathName), tostring(AdditionalFields.ImagePath), tostring(AdditionalFields.ServiceImagePath))) // Heuristics: name/display similar to time service (contains w32+time or windows+time) OR image path points to a script | extend name_l = tolower(svcName), disp_l = tolower(svcDisp) | extend IsTimeLike = (name_l has "time" or disp_l has "time") | extend IsW32Timeish = (name_l has "w32" and name_l has "time") or (disp_l has "windows" and disp_l has "time") | extend IsScriptPath = iff(isempty(imgPath), bool(false), imgPath has_any (script_indicators)) | where IsScriptPath or IsW32Timeish | project TimeGenerated, DeviceId, DeviceName, Source="ServiceEvent", ServiceName=svcName, ServiceDisplayName=svcDisp, ImagePath=imgPath, ActorProcess=tolower(InitiatingProcessFileName), ActorCommand=InitiatingProcessCommandLine; let reg_mods = DeviceRegistryEvents | where ActionType in ("RegistryValueSet","RegistryKeyCreated","RegistryKeyRenamed") | where tolower(RegistryValueName) == "imagepath" | extend ServiceName = extract(@"\\services\\([^\\]+)", 1, tostring(RegistryKey)) | extend name_l = tolower(ServiceName), key_l = tolower(RegistryKey) | where key_l contains "\\system\\currentcontrolset\\services\\" // Heuristics: similar to time service | where (name_l has "time" and (name_l has "w32" or name_l has "windows")) | extend ImagePath = tolower(tostring(RegistryValueData)) | where ImagePath has_any (script_indicators) | project TimeGenerated, DeviceId, DeviceName, Source="Registry", ServiceName, ServiceDisplayName=strcat(""), ImagePath, ActorProcess=tolower(InitiatingProcessFileName), ActorCommand=InitiatingProcessCommandLine; let process_cmds = DeviceProcessEvents | where FileName in~ ("sc.exe","sc","reg.exe","powershell.exe","wmic.exe") | extend cmd_l = tolower(ProcessCommandLine) | where cmd_l matches regex @"\b(sc(\.exe)?\s+(create|config)|reg(\.exe)?\s+add|wmic(\.exe)?\s+service|powershell(\.exe)?\s+.*(new-service|set-service))" | where cmd_l has_any ("w32","windows"," time ") | project TimeGenerated, DeviceId, DeviceName, Source="ProcessCmd", ServiceName=strcat(""), ServiceDisplayName=strcat(""), ImagePath=strcat(""), ActorProcess=tolower(FileName), ActorCommand=ProcessCommandLine; union isfuzzy=true svc_mods, reg_mods, process_cmds | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Events=count(), ExampleCommands=make_set(ActorCommand, 5) by DeviceName, ActorProcess | order by Events desc, LastSeen desc | project DeviceName, ActorProcess, Events, FirstSeen, LastSeen, ExampleCommands

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "schtasks.exe" | where ProcessCommandLine contains "/create" | where ProcessCommandLine has_any ("powershell", "pwsh") | where ProcessCommandLine contains ".ps1" // Extract task name from /TN (quoted or unquoted) | extend TaskName = coalesce( extract("(?i)(?:^|\\s)/tn(?::)?\\s*\"([^\"]+)\"", 1, ProcessCommandLine), extract("(?i)(?:^|\\s)/tn(?::)?\\s*([^\\s\\\"]+)", 1, ProcessCommandLine) ) // Extract .ps1 path (prefer -File, then & invocation, then any .ps1) | extend ScriptPath = coalesce( extract("(?i)-file\\s+\"([^\"]+?\\.ps1)\"", 1, ProcessCommandLine), extract("(?i)-file\\s+([^\\s\\\"]+?\\.ps1)", 1, ProcessCommandLine), extract("(?i)\\&\\s*\"([^\"]+?\\.ps1)\"", 1, ProcessCommandLine), extract("(?i)\\&\\s*([^\\s\\\"]+?\\.ps1)", 1, ProcessCommandLine), extract("(?i)\"([^\"]+?\\.ps1)\"", 1, ProcessCommandLine), extract("(?i)([^\\s\\\"]+?\\.ps1)", 1, ProcessCommandLine) ) | extend ScriptName = extract("(?i)([^\\\\/]+\\.ps1)$", 1, tostring(ScriptPath)) | where isnotempty(ScriptName) | project TimeGenerated, DeviceName, AccountDomain, AccountName, TaskName, ScriptPath, ScriptName, ProcessCommandLine | order by TimeGenerated desc

let window = 1h; // Optional: restrict to known core Windows CLI utilities to reduce noise let core_utils = dynamic([ 'cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe','regsvr32.exe','certutil.exe','bitsadmin.exe', 'whoami.exe','findstr.exe','net.exe','net1.exe','sc.exe','schtasks.exe','tasklist.exe','wevtutil.exe','wmic.exe','ftp.exe','tftp.exe','at.exe' ]); // Candidate copies into user profile, appearing to come from System32/SysWOW64 (via Previous* or initiating cmdline) let candidate_copies = DeviceFileEvents | where ActionType in~ ('FileCreated','FileCopied','FileRenamed') | where FolderPath has '\\Users\\' and FileName endswith '.exe' // Uncomment next line to limit to core utilities //| where set_has_element(core_utils, tolower(FileName)) | extend PrevPath = iff(isnotempty(PreviousFolderPath) and isnotempty(PreviousFileName), strcat(PreviousFolderPath, '\\', PreviousFileName), '') | where PrevPath has_any ('\\Windows\\System32\\','\\Windows\\SysWOW64\\') or InitiatingProcessCommandLine has_any ('\\Windows\\System32\\','\\Windows\\SysWOW64\\','%windir%\\system32','%windir%\\syswow64') | project DeviceId, DeviceName, CopiedExe=tolower(FileName), DstPath=tolower(FolderPath), CopyTime=TimeGenerated, SHA1, InitiatingProcessAccountDomain, InitiatingProcessAccountName; // Executions from a user profile path let executions = DeviceProcessEvents | where FolderPath has '\\Users\\' | project DeviceId, ExecTime=TimeGenerated, RanExe=tolower(FileName), RanPath=tolower(FolderPath), RanCmd=ProcessCommandLine, ExecSHA1=SHA1; // Strong correlation: join by SHA1 and device, then ensure execution shortly after copy let joined_sha = candidate_copies | where isnotempty(SHA1) | join kind=innerunique (executions | where isnotempty(ExecSHA1)) on $left.DeviceId == $right.DeviceId and $left.SHA1 == $right.ExecSHA1 | where ExecTime between (CopyTime .. CopyTime + window) | project DeviceId, DeviceName, CopiedExe, DstPath, CopyTime, ExecTime, RanPath; // Fallback correlation: exact path match (same device and same full path), within time window let joined_path = candidate_copies | join kind=innerunique (executions) on $left.DeviceId == $right.DeviceId | where RanPath == DstPath and ExecTime between (CopyTime .. CopyTime + window) | project DeviceId, DeviceName, CopiedExe, DstPath, CopyTime, ExecTime, RanPath; union joined_sha, joined_path | summarize FirstCopyTime=min(CopyTime), FirstExecTime=min(ExecTime), ExecutedFrom=any(RanPath) by DeviceId, DeviceName, CopiedExecutable=CopiedExe | order by FirstCopyTime asc

let psh_from_deviceevents = DeviceEvents | where ActionType in ("PowerShellCommand", "PowerShellScriptBlockLogging") | extend ScriptText = tostring(iff(ActionType == "PowerShellScriptBlockLogging", AdditionalFields.ScriptBlockText, coalesce(AdditionalFields.Command, AdditionalFields.ScriptContent, AdditionalFields.CommandLine))) | extend CommandName = tostring(AdditionalFields.CommandName) | where CommandName =~ "Get-NetTCPConnection" or ScriptText has "Get-NetTCPConnection" | extend Cmdlet = iif(isnotempty(CommandName), CommandName, extract(@"(?i)\b(Get-NetTCPConnection)\b", 1, ScriptText)) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet, CommandText=coalesce(ScriptText, InitiatingProcessCommandLine); let psh_from_processevents = DeviceProcessEvents | where (InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") or FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe")) | where ProcessCommandLine has "Get-NetTCPConnection" | extend Cmdlet = extract(@"(?i)\b(Get-NetTCPConnection)\b", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet, CommandText=ProcessCommandLine; union isfuzzy=true psh_from_deviceevents, psh_from_processevents | extend ExecutingAccount = coalesce(AccountName, InitiatingProcessAccountName) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExecCount=count(), SampleCommand=any(CommandText) by DeviceId, DeviceName, ExecutingAccount, Cmdlet | extend StateFilter = extract(@"(?i)-State\s+([A-Za-z,]+)", 1, SampleCommand) | order by LastSeen desc

let targetPort = 9090; let portRegex = strcat(@"(^|[^\d])", tostring(targetPort), @"([^\d]|$)"); DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=innerunique ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName ) on DeviceId | extend cmdl = tostring(ProcessCommandLine) | where isnotempty(cmdl) // python3 starting http.server on the target port | where tolower(cmdl) has "http.server" and cmdl matches regex portRegex | where tolower(FileName) matches regex @"^python3(\.\d+)?$" or tolower(cmdl) has "python3" // get working directory from various possible keys in AdditionalFields | extend WorkingDirectory = coalesce( tostring(AdditionalFields["cwd"]), tostring(AdditionalFields["Cwd"]), tostring(AdditionalFields["WorkingDirectory"]), tostring(AdditionalFields["workdir"]), tostring(AdditionalFields["CurrentDirectory"])) // hosted under /tmp: either CWD is /tmp or command references /tmp (e.g., --directory /tmp) | where tolower(cmdl) has "/tmp" or (isnotempty(WorkingDirectory) and tolower(WorkingDirectory) has "/tmp") | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessId, ProcessCommandLine=cmdl, WorkingDirectory | order by TimeGenerated asc

let ps_bins = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let ftp_tools = dynamic(["ftp.exe","winscp.exe","winscp.com","psftp.exe","curl.exe","wget.exe","bitsadmin.exe","certutil.exe","tftp.exe","rclone.exe"]); let ftp_markers = dynamic(["ftp://","ftps://","WebRequestMethods+Ftp","FtpWebRequest"," -Method Ftp"," -Method ftp","Invoke-WebRequest","Start-BitsTransfer"]); DeviceProcessEvents | where InitiatingProcessFileName in (ps_bins) | where FileName in (ftp_tools) or ProcessCommandLine has_any (ftp_markers) or InitiatingProcessCommandLine has_any (ftp_markers) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), EventCount=count(), sample_child_cmd=any(ProcessCommandLine), sample_parent_cmd=any(InitiatingProcessCommandLine) by Executable=tolower(FileName) | order by EventCount desc, LastSeen desc

DeviceProcessEvents | where ActionType == "ProcessCreated" // Focus on tools that enumerate current connections | where tolower(FileName) in ("netstat.exe","powershell.exe","netsh.exe") or ProcessCommandLine has_any ("netstat","Get-NetTCPConnection","Get-NetUDPEndpoint","show tcpconnections","show tcp") // Keep only executions that actually map to connection enumeration | where ( tolower(FileName) == "netstat.exe" ) or ( tolower(FileName) == "powershell.exe" and ProcessCommandLine has_any ("Get-NetTCPConnection","Get-NetUDPEndpoint") ) or ( tolower(FileName) == "netsh.exe" and ProcessCommandLine has_any ("show tcpconnections","show conn","show connections","show tcp") ) // Ensure it was launched from Windows Command Prompt (cmd) context | where tolower(InitiatingProcessFileName) in ("cmd.exe","conhost.exe") or tolower(InitiatingProcessParentFileName) == "cmd.exe" or InitiatingProcessCommandLine has @"\cmd.exe" // Identify the exact tool | extend ExactTool = case( tolower(FileName) == "netstat.exe", "netstat.exe", tolower(FileName) == "powershell.exe" and ProcessCommandLine has "Get-NetTCPConnection", "PowerShell:Get-NetTCPConnection", tolower(FileName) == "powershell.exe" and ProcessCommandLine has "Get-NetUDPEndpoint", "PowerShell:Get-NetUDPEndpoint", tolower(FileName) == "netsh.exe", "netsh.exe", "Unknown") | project TimeGenerated, DeviceName, AccountDomain, AccountName, ExactTool, FileName, ProcessCommandLine, ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine, PID=ProcessId, ParentPID=InitiatingProcessId, ReportId | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "schtasks.exe" | where ProcessCommandLine contains "/create" | where ProcessCommandLine matches regex @"(?i)/sc\s+(onlogon|onstart)" | summarize by UtilityName = FileName

let cron_dir = "/var/spool/cron/crontabs"; let linux_devices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId; DeviceFileEvents | where DeviceId in (linux_devices) | where ActionType in ("FileCreated", "FileModified", "FileRenamed") | where FolderPath hasprefix cron_dir or (ActionType == "FileRenamed" and (FolderPath hasprefix cron_dir or coalesce(PreviousFolderPath, "") hasprefix cron_dir)) | extend Operation = case( ActionType == "FileCreated", "Created", ActionType == "FileModified", "Modified", ActionType == "FileRenamed" and not(coalesce(PreviousFolderPath, "") hasprefix cron_dir) and (FolderPath hasprefix cron_dir), "MovedIntoDir", ActionType == "FileRenamed" and (coalesce(PreviousFolderPath, "") hasprefix cron_dir) and (FolderPath hasprefix cron_dir), "RenamedWithinDir", "Other") | where Operation in ("Created", "Modified", "MovedIntoDir") | extend AddedFileName = FileName, AddedFilePath = strcat(FolderPath, "/", FileName) | project TimeGenerated, DeviceName, DeviceId, Operation, AddedFileName, AddedFilePath, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, PreviousFolderPath, PreviousFileName | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == 'ProcessCreated' | where FileName in~ ('powershell.exe','pwsh.exe','powershell_ise.exe') // Remote admin share (\\host\c$\...) | where ProcessCommandLine contains '\\c$\\' // Copy via PowerShell (Copy-Item or common aliases) | where ProcessCommandLine has_any ('copy','cp','cpi','robocopy') // Destination mentions a TEMP location/variable | where ProcessCommandLine contains '$env:TEMP' or ProcessCommandLine contains '$env:TMP' or ProcessCommandLine contains '%TEMP%' or ProcessCommandLine contains '%TMP%' or ProcessCommandLine contains '\\AppData\\Local\\Temp' or ProcessCommandLine contains '\\Windows\\Temp' or ProcessCommandLine contains ':\\Temp' or ProcessCommandLine contains '\\Temp\\' | project TimeGenerated, DeviceName, AccountDomain, AccountName, PowerShellCommand=ProcessCommandLine | order by TimeGenerated desc

// Identify systemd timer units that were both enabled and started on Linux devices // Time range is controlled by the caller let timer_name_rx = @"(?i)([A-Za-z0-9._@-]+\.timer)\b"; // Limit to Linux devices (join via DeviceInfo to avoid OSPlatform on event tables) let linux_devices = DeviceInfo | where OSPlatform == "Linux" | summarize arg_max(TimeGenerated, *) by DeviceId | project DeviceId; // Starts: `systemctl start <name>.timer` OR `systemctl enable --now <name>.timer` let starts = DeviceProcessEvents | where DeviceId in (linux_devices) | where FileName =~ "systemctl" or ProcessCommandLine has "systemctl" | where ProcessCommandLine has ".timer" | extend TimerName = tostring(extract(timer_name_rx, 1, ProcessCommandLine)) | where isnotempty(TimerName) | where ProcessCommandLine matches regex @"(?i)\b(start|enable\s+--now)\b" | project DeviceId, DeviceName, TimeGenerated, TimerName, StartEvidence = ProcessCommandLine, StartAccount = AccountName; // Enables via `systemctl enable <name>.timer` let enables_systemctl = DeviceProcessEvents | where DeviceId in (linux_devices) | where FileName =~ "systemctl" or ProcessCommandLine has "systemctl" | where ProcessCommandLine has ".timer" | extend TimerName = tostring(extract(timer_name_rx, 1, ProcessCommandLine)) | where isnotempty(TimerName) | where ProcessCommandLine matches regex @"(?i)\benable\b" | project DeviceId, DeviceName, TimeGenerated, TimerName, EnableEvidence = ProcessCommandLine, EnableAccount = AccountName; // Enables evidenced by symlink creation in timers.target.wants let enables_symlink = DeviceFileEvents | where DeviceId in (linux_devices) | where FolderPath has_any ("/etc/systemd/system/timers.target.wants/", "/usr/lib/systemd/system/timers.target.wants/", "/lib/systemd/system/timers.target.wants/", "/etc/systemd/user/timers.target.wants/") | where FileName endswith ".timer" | where ActionType in ("FileCreated", "FileRenamed") | project DeviceId, DeviceName, TimeGenerated, TimerName = FileName, EnableEvidence = strcat(FolderPath, FileName), EnableAccount = InitiatingProcessAccountName; let enables = union enables_systemctl, enables_symlink; // Summarize earliest enable and start per device+timer let enables_s = enables | summarize EnableTime = min(TimeGenerated), EnableEvidenceList = make_set(EnableEvidence, 5), EnableAccounts = make_set(EnableAccount, 5) by DeviceId, DeviceName, TimerName; let starts_s = starts | summarize StartTime = min(TimeGenerated), StartEvidenceList = make_set(StartEvidence, 5), StartAccounts = make_set(StartAccount, 5) by DeviceId, DeviceName, TimerName; // Correlate timers that were both enabled and started enables_s | join kind=inner starts_s on DeviceId, TimerName | project DeviceId, DeviceName = coalesce(DeviceName, DeviceName1), TimerName, EnableTime, StartTime, EnableAccounts, StartAccounts, EnableEvidenceList, StartEvidenceList | order by StartTime asc

let listing_and_filter = @'(?i)\b(tasklist|wmic\s+process|get-process|gps|get-ciminstance\s+win32_process|gwmi\s+win32_process)\b.*\|\s*(findstr|select-string|sls)\b'; DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "|" | where ProcessCommandLine matches regex listing_and_filter // Identify filter tool and listing tool | extend _cmd = tostring(ProcessCommandLine) | extend FilterTool = case(indexof(tolower(_cmd), "findstr") >= 0, "findstr", indexof(tolower(_cmd), "select-string") >= 0 or indexof(tolower(_cmd), " sls ") >= 0, "Select-String", "Unknown") | extend ListingTool = case(indexof(tolower(_cmd), "tasklist") >= 0, "tasklist", _cmd matches regex @'(?i)\bwmic\s+process\b', "wmic process", _cmd matches regex @'(?i)\bget-process\b|\bgps\b', "Get-Process", _cmd matches regex @'(?i)\b(get-ciminstance|gcim)\s+win32_process\b|\bgwmi\b.*win32_process\b', "WMI/CIM process query", "Other") // Extract the searched term after findstr / Select-String | extend SearchedRaw = coalesce( extract(@'(?i)findstr(?:\s+/[a-z-]+\s*)*\s+/c:\s*"([^"]+)"', 1, _cmd), extract(@'(?i)findstr(?:\s+/[a-z-]+\s*)*\s*"([^"]+)"', 1, _cmd), extract(@'(?i)findstr(?:\s+/[a-z-]+\s*)*\s+([^\s\|]+)', 1, _cmd), extract(@'(?i)(?:select-string|sls)(?:\s+-[a-z-]+\s+\S+)*\s+-pattern\s*"([^"]+)"', 1, _cmd), extract(@'(?i)(?:select-string|sls)(?:\s+-[a-z-]+\s+\S+)*\s+-pattern\s+([^\s\|]+)', 1, _cmd), extract(@'(?i)(?:select-string|sls)(?:\s+-[a-z-]+\s+\S+)*\s+"([^"]+)"', 1, _cmd), extract(@'(?i)(?:select-string|sls)(?:\s+-[a-z-]+\s+\S+)*\s+([^\s\|]+)', 1, _cmd) ) | extend SearchedProcess = tostring(SearchedRaw) | where isnotempty(SearchedProcess) // Normalize: last token, lowercase, trim quotes/space, drop .exe | extend SearchedProcess = tolower(coalesce(extract(@'([^\\/:]+)$', 1, SearchedProcess), SearchedProcess)) | extend SearchedProcess = trim(' "', SearchedProcess) | extend SearchedProcess = replace_regex(SearchedProcess, @'\.exe$', '') | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ListingTool, FilterTool, SearchedProcess, ProcessCommandLine | summarize EventCount = count(), Examples = make_set(ProcessCommandLine, 3) by DeviceName, AccountName, ListingTool, FilterTool, SearchedProcess | order by EventCount desc, DeviceName asc

let process_cmdlet_pattern = @"(?i)\b(get-process|get-wmiobject|get-ciminstance|get-ciminstance|gwmi|gcim|gps|ps)\b"; union isfuzzy=true ( DeviceEvents | where ActionType has "PowerShell" | extend CmdText = tostring(coalesce(AdditionalFields.Command, AdditionalFields.ScriptLine, AdditionalFields.ScriptBlockText, AdditionalFields.ScriptContent, AdditionalFields.Message, AdditionalFields.Content, AdditionalFields.AmsiContent)) | where isnotempty(CmdText) | where CmdText matches regex process_cmdlet_pattern or CmdText has_cs "Win32_Process" | extend ExecutedToken = tostring(extract(process_cmdlet_pattern, 1, CmdText)) | extend CanonicalCmdlet = case( tolower(ExecutedToken) in ("gps","ps"), "Get-Process", tolower(ExecutedToken) in ("gwmi","get-wmiobject"), "Get-WmiObject", tolower(ExecutedToken) in ("gcim","get-ciminstance","get-ciminstance"), "Get-CimInstance", tolower(ExecutedToken) == "get-process", "Get-Process", ExecutedToken) | project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, ActionType, Source = "PowerShellEvent", ExecutedToken, CanonicalCmdlet, CmdText ), ( DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") | where isnotempty(ProcessCommandLine) | where ProcessCommandLine matches regex process_cmdlet_pattern or ProcessCommandLine has_cs "Win32_Process" | extend CmdText = ProcessCommandLine | extend ExecutedToken = tostring(extract(process_cmdlet_pattern, 1, CmdText)) | extend CanonicalCmdlet = case( tolower(ExecutedToken) in ("gps","ps"), "Get-Process", tolower(ExecutedToken) in ("gwmi","get-wmiobject"), "Get-WmiObject", tolower(ExecutedToken) in ("gcim","get-ciminstance","get-ciminstance"), "Get-CimInstance", tolower(ExecutedToken) == "get-process", "Get-Process", ExecutedToken) | project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, ActionType, Source = "ProcessCreate", ExecutedToken, CanonicalCmdlet, CmdText ) | where isnotempty(ExecutedToken) | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "taskmgr.exe" or ProcessCommandLine has_cs "taskmgr" | where InitiatingProcessFileName =~ "cmd.exe" // Require a switch after taskmgr (unusual because Task Manager is typically launched without flags) | where ProcessCommandLine matches regex @"(?i)\btaskmgr(?:\.exe)?\b.*(?:^|\s)[-/][^\s\""]+" // Extract one or more flags used with taskmgr | extend Flags = extract_all(@"(?i)(?:^|\s)([-/][\w\.-]+)", ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, FullCommand=ProcessCommandLine, Flags | order by TimeGenerated asc

let pwsh_bins = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let task_ns1 = @"root\microsoft\windows\taskscheduler"; let ps_wmi_calls = DeviceEvents | where (ActionType in~ ("WmiMethodInvoked","WmiMethodCall","WmiMethodExecuted")) or (tolower(ActionType) has "wmi" and tolower(ActionType) has "method") | where InitiatingProcessFileName in~ (pwsh_bins) | extend MethodName = tolower(coalesce(tostring(AdditionalFields.MethodName), tostring(AdditionalFields.Method), tostring(AdditionalFields["methodName"]))) | extend WmiNamespace = tolower(coalesce(tostring(AdditionalFields.Namespace), tostring(AdditionalFields["NameSpace"]), tostring(AdditionalFields["WmiNamespace"]))) | where MethodName == "registerbyxml" and (isempty(WmiNamespace) or WmiNamespace has task_ns1) | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine; let ps_cmd_matches = DeviceProcessEvents | where FileName in~ (pwsh_bins) | where (ProcessCommandLine has_cs "RegisterByXml" or InitiatingProcessCommandLine has_cs "RegisterByXml") | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName=FileName, InitiatingProcessId=ProcessId, InitiatingProcessCommandLine=coalesce(ProcessCommandLine, InitiatingProcessCommandLine); union ps_wmi_calls, ps_cmd_matches | extend Cmd = InitiatingProcessCommandLine // Extract XML path or bare filename from the PowerShell command line | extend xml_candidates = extract_all(@"(?i)(?:['""])?((?:[A-Z]:\\|\\\\)[^'""\s]+\.xml)", Cmd) | extend xml_names = extract_all(@"(?i)([^\\/:'""\s]+\.xml)", Cmd) | extend xml_token = case(array_length(xml_candidates) > 0, tostring(xml_candidates[0]), array_length(xml_names) > 0, tostring(xml_names[0]), "") | extend XmlFileName = tostring(extract(@"([^\\/:]+\.xml)", 1, xml_token)) | where isnotempty(XmlFileName) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Events=count(), Devices=make_set(DeviceName, 10) by XmlFileName | order by Events desc, LastSeen desc

let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | summarize arg_max(TimeGenerated, DeviceName) by DeviceId | project DeviceId, DeviceName; let SuspiciousCronProcs = DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (LinuxDevices) on DeviceId | extend fn = tolower(FileName), fp = tolower(FolderPath), pcmd = tostring(ProcessCommandLine), ipcmd = tostring(InitiatingProcessCommandLine) | extend LabeledCron = fn in ("cron","crond") | extend ExecASpoof = pcmd has "exec -a cron" or pcmd has "exec -a crond" or ipcmd has "exec -a cron" or ipcmd has "exec -a crond" | extend ExpectedCronDir = fp startswith "/usr/sbin/" or fp startswith "/sbin/" | where (LabeledCron and ExpectedCronDir == false) or ExecASpoof | extend ExecAChildTarget = extract(@"(?i)exec\s+-a\s+\S+\s+(\S+)", 1, pcmd) | extend ExecAParentTarget = extract(@"(?i)exec\s+-a\s+\S+\s+(\S+)", 1, ipcmd) | extend ActualExecutedBinaryRaw = coalesce(ExecAChildTarget, ExecAParentTarget, FolderPath) | extend ActualExecutedBinary = trim(" '\"", ActualExecutedBinaryRaw) | extend CronLabelUsed = iif(LabeledCron, FileName, coalesce( extract(@"(?i)exec\s+-a\s+((cron|crond))\b", 1, pcmd), extract(@"(?i)exec\s+-a\s+((cron|crond))\b", 1, ipcmd))) | extend ActualExecutedFileName = extract(@"([^/\\]+)$", 1, ActualExecutedBinary) | project CronProcTime=TimeGenerated, DeviceId, DeviceName, CronLabelUsed, OnDiskImagePath=FolderPath, ActualExecutedBinary, ActualExecutedFileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, SHA256, MD5, ReportId; let FileHistory = DeviceFileEvents | where ActionType in ("FileCreated","FileRenamed") | project DeviceId, FileEventTime=TimeGenerated, FileEventAction=ActionType, FilePath=FolderPath, NewFileName=FileName, PreviousPath=strcat(PreviousFolderPath, iif(isempty(PreviousFileName), "", strcat("/", PreviousFileName))); let Base = SuspiciousCronProcs | extend FileEventTime = datetime(null), FileEventAction = "", FilePath = "", PreviousPath = "", NewFileName = ""; let OnDiskJoin = SuspiciousCronProcs | join kind=leftouter (FileHistory) on $left.DeviceId == $right.DeviceId and $left.OnDiskImagePath == $right.FilePath | where isnotempty(FileEventTime) and FileEventTime between (CronProcTime - 14d .. CronProcTime + 1h) | project-away FilePath; let ActualExecJoin = SuspiciousCronProcs | where ActualExecutedBinary startswith "/" | join kind=leftouter (FileHistory) on $left.DeviceId == $right.DeviceId and $left.ActualExecutedBinary == $right.FilePath | where isnotempty(FileEventTime) and FileEventTime between (CronProcTime - 14d .. CronProcTime + 1h) | project-away FilePath; union Base, OnDiskJoin, ActualExecJoin | order by CronProcTime desc, FileEventTime asc

let ProcessListRegex = @"(?i)\b(tasklist(\.exe)?|(wmic(\.exe)?\s+(path\s+win32_process|process))|(qprocess(\.exe)?|query(\.exe)?\s+process)|((powershell|pwsh)(\.exe)?\b.*\bget-process\b))\b"; DeviceProcessEvents | where InitiatingProcessFileName =~ "cmd.exe" | where ProcessCommandLine matches regex ProcessListRegex or FileName matches regex @"(?i)^(tasklist|wmic|qprocess|query|powershell|pwsh)\.exe$" | extend BuiltInTool = case( FileName =~ "tasklist.exe" or ProcessCommandLine matches regex @"(?i)\btasklist(\.exe)?\b", "tasklist", FileName =~ "wmic.exe" or ProcessCommandLine matches regex @"(?i)\bwmic(\.exe)?\s+(path\s+win32_process|process)\b", "wmic process", FileName =~ "qprocess.exe" or ProcessCommandLine matches regex @"(?i)\b(qprocess(\.exe)?|query(\.exe)?\s+process)\b", "query process (qprocess)", ProcessCommandLine matches regex @"(?i)\b(powershell|pwsh)(\.exe)?\b.*\bget-process\b", "PowerShell Get-Process", "other" ) | where BuiltInTool != "other" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, BuiltInTool | order by TimeGenerated desc // To summarize which tool was used per device/account, append: // | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Events=count() by DeviceName, AccountName, BuiltInTool

let di = DeviceInfo | summarize arg_max(TimeGenerated, OSPlatform) by DeviceId | project DeviceId, OSPlatform; union isfuzzy=true ( DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "/etc/shells" or ProcessCommandLine contains "getent shells" or InitiatingProcessCommandLine contains "/etc/shells" or InitiatingProcessCommandLine contains "getent shells" | extend SourceTable = "DeviceProcessEvents" ), ( DeviceEvents | where ProcessCommandLine contains "/etc/shells" or ProcessCommandLine contains "getent shells" or InitiatingProcessCommandLine contains "/etc/shells" or InitiatingProcessCommandLine contains "getent shells" | extend SourceTable = "DeviceEvents" ) | join kind=inner di on DeviceId | where OSPlatform =~ "Linux" | extend EnumerationMethod = case( ProcessCommandLine contains "/etc/shells" or InitiatingProcessCommandLine contains "/etc/shells", "Direct read of /etc/shells", ProcessCommandLine contains "getent shells" or InitiatingProcessCommandLine contains "getent shells", "getent shells via NSS", "Other" ) | project TimeGenerated, DeviceName, AccountName, SourceTable, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, ProcessId, DeviceId, MachineGroup, EnumerationMethod | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where isnotempty(ProcessCommandLine) // lowercase helpers for case-insensitive matching | extend fn = tolower(FileName) | extend lcmd = tolower(ProcessCommandLine) // WMIC patterns for process enumeration | extend isWMIC = (fn == "wmic.exe" and (lcmd has " win32_process" or lcmd matches regex "\\bpath\\s+win32_process\\b" or lcmd matches regex "\\bprocess(\\s+list|\\s+where|\\s+get|\\s+call)\\b")) | extend isWMICRemote = isWMIC and (lcmd has "/node:" or lcmd matches regex "\\b/node:\\s*\\S+") // PowerShell WMI/CIM patterns for Win32_Process | extend isPSCim = (fn in ("powershell.exe","pwsh.exe") and lcmd matches regex "\\b(get-ciminstance|gcim)\\b.*\\b(win32_process)\\b") | extend isPSWmi = (fn in ("powershell.exe","pwsh.exe") and lcmd matches regex "\\b(get-wmiobject|gwmi)\\b.*\\b(win32_process)\\b") | extend isPSRemote = (isPSCim or isPSWmi) and (lcmd has "-computername" or lcmd has "-cimsession" or lcmd matches regex "\\bnew-cimsession\\b") // VBScript via WMI (best-effort based on CLI) | extend isVBSWmi = (fn in ("cscript.exe","wscript.exe") and lcmd matches regex "\\b(winmgmts:|win32_process|root\\\\cimv2)\\b") | where isWMIC or isPSCim or isPSWmi or isVBSWmi | extend Utility = case( isWMICRemote, "WMIC (remote)", isWMIC, "WMIC", isPSRemote and isPSCim, "PowerShell Get-CimInstance (remote)", isPSCim, "PowerShell Get-CimInstance", isPSRemote and isPSWmi, "PowerShell Get-WmiObject/gwmi (remote)", isPSWmi, "PowerShell Get-WmiObject/gwmi", isVBSWmi, "VBScript via WMI", "Other" ) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, Utility, InitiatingProcessParentFileName, InitiatingProcessParentId | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleCommand = take_any(ProcessCommandLine) by Utility, DeviceName, AccountName | order by LastSeen desc, Count desc

let wmi_cmdlets = dynamic(["get-wmiobject","gwmi","get-ciminstance","gcim"]); DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") | where ProcessCommandLine has_any (wmi_cmdlets) // Extract class from -Class / -ClassName | extend class_from_param = extract(@"(?i)-(?:class|classname)\s*(?::|=|\s)\s*['""]?((?:[A-Za-z]+\\[\w\\]+:)?[A-Za-z_][\w\.]+)", 1, ProcessCommandLine) // Extract class from a WQL -Query '... from <Class>' | extend class_from_query = extract(@"(?i)-query\s+.*?\bfrom\s+((?:[A-Za-z]+\\[\w\\]+:)?[A-Za-z_][\w\.]+)", 1, ProcessCommandLine) // Extract class when passed positionally right after the cmdlet (e.g., gwmi Win32_Process) | extend class_from_pos = extract(@"(?i)\b(?:get-wmiobject|gwmi|get-ciminstance|gcim)\s+['""]?((?:[A-Za-z]+\\[\w\\]+:)?[A-Za-z_][\w\.]+)\b", 1, ProcessCommandLine) // Capture -Namespace if present to qualify class when needed | extend ns = extract(@"(?i)-namespace\s*(?::|=|\s)\s*['""]?([A-Za-z]+\\[\w\\]+)", 1, ProcessCommandLine) | extend WmiClassRaw = coalesce(class_from_param, class_from_query, class_from_pos) | extend WmiClass = iff(isnotempty(ns) and isnotempty(WmiClassRaw) and not(WmiClassRaw contains ":"), strcat(ns, ":", WmiClassRaw), WmiClassRaw) | where isnotempty(WmiClass) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine, WmiClass | summarize EventCount = count(), Examples = make_set(ProcessCommandLine, 3) by WmiClass | order by EventCount desc

let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | summarize by DeviceId; DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linuxDevices) // awk variants and busybox awk | where FileName in~ ("awk","gawk","mawk","nawk") or (FileName =~ "busybox" and ProcessCommandLine has " awk") // BEGIN rule + shell execution indicators | where ProcessCommandLine has "BEGIN" and ( // system() used to launch a shell (ProcessCommandLine has "system(" and ProcessCommandLine has_any ("/bin/sh","/bin/bash","/bin/dash","/bin/ash","/bin/ksh","/bin/zsh"," sh"," bash"," dash"," ash"," ksh"," zsh")) // or piping to a shell command or ProcessCommandLine has_any ("| /bin/sh","| '/bin/sh","| \"/bin/sh","| /bin/bash","| '/bin/bash","| \"/bin/bash") ) | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, DeviceId | order by TimeGenerated desc

let linux_devices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId; let gh_hosts = dynamic(["raw.githubusercontent.com","gist.githubusercontent.com","github.com"]); let pipe_indicators = dynamic(["| bash","|bash","| sh","|sh","bash -c","sh -c","bash <(","sh <("]); // Path A: Process events where the full pipeline is visible in the command line let process_hits = DeviceProcessEvents | where DeviceId in (linux_devices) | where ProcessCommandLine has_any ("curl","wget") | where ProcessCommandLine has_any (gh_hosts) | where ProcessCommandLine has_any (pipe_indicators) | extend Url = extract(@"https?://[^\s'""|)><]+", 0, ProcessCommandLine) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine, Url; // Path B: Network events from curl/wget to GitHub raw hosts (captures URL even if pipeline not in process cmdline) let network_hits = DeviceNetworkEvents | where DeviceId in (linux_devices) | where InitiatingProcessFileName in ("curl","wget") | where RemoteUrl has_any (gh_hosts) | project TimeGenerated, DeviceId, DeviceName, AccountName=InitiatingProcessAccountName, InitiatingProcessAccountName, FileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine, Url=RemoteUrl; union process_hits, network_hits | where isnotempty(Url) | extend ScriptName = tostring(extract(@"([^/?#]+)(?:\?[^#]*)?(?:#.*)?$", 1, Url)) | where isnotempty(ScriptName) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), DeviceCount=dcount(DeviceId), Devices=make_set(DeviceName), Examples=make_set(Url, 5) by ScriptName | order by LastSeen desc

let psNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let wmi_cmd_patterns = dynamic(["get-wmiobject","gwmi","get-ciminstance","wmic"]); let group_patterns = dynamic(["win32_group","win32_groupuser","associators of {win32_group","wmic group","wmic path win32_group","wmic path win32_groupuser"]); DeviceProcessEvents | where FileName in~ (psNames) | extend Encoded = extract(@"(?i)-(?:enc|encodedcommand)\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine) | extend Decoded = iff(isnotempty(Encoded), base64_decode_tostring(Encoded), "") | extend SearchText = tolower(strcat(ProcessCommandLine, " ", Decoded)) | where SearchText has_any (wmi_cmd_patterns) | where SearchText has_any (group_patterns) or SearchText matches regex @"wmic\s+group(\s|$)" | extend ExecutedCommand = iff(isnotempty(Decoded), Decoded, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessId, ExecutedCommand, InitiatingProcessParentFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

let linux_devices = DeviceInfo | where OSPlatform == "Linux" | summarize arg_max(TimeGenerated, *) by DeviceId | project DeviceId; let group_enum_sessions = DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linux_devices) | extend cmd = tostring(ProcessCommandLine) | where tolower(FileName) in ("id","groups","getent","cat","grep","awk","cut") or cmd has "/etc/group" or cmd has "getent group" | summarize utils = make_set(tolower(FileName)), firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated) by DeviceId, DeviceName, InitiatingProcessSessionId | where array_length(utils) >= 2; DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linux_devices) | extend cmd = tostring(ProcessCommandLine) | where tolower(FileName) == "getent" or cmd matches regex @"\bgetent\s+group\b" | where cmd has "group" // ensure it's querying the group database | join kind=inner (group_enum_sessions) on DeviceId, InitiatingProcessSessionId | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessSessionId, UtilityUsedToQueryGroupDB = "getent", ProcessCommandLine | order by TimeGenerated asc

// Shell escape via Perl package manager (cpan/cpanm / perl -MCPAN) let shell_names = dynamic(["sh","bash","dash","zsh","ksh","ash","busybox","fish"]); let cpan_regex = @"(?i)\bcpanm?\b|(-MCPAN|CPAN::)"; let Proc = DeviceProcessEvents | where ActionType == "ProcessCreated" | project DeviceId, DeviceName, TimeGenerated, AccountName, AccountDomain, FileName, FolderPath, ProcessCommandLine, ProcessId, ProcessCreationTime, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessParentId, InitiatingProcessParentCreationTime, InitiatingProcessParentFileName; // Shell processes on Linux let Shells = Proc | where FileName in (shell_names) | where FolderPath startswith "/"; // Parent (the tool that spawned the shell) let ShellsWithParent = Shells | join kind=inner ( Proc | project DeviceId, ParentProcessId = ProcessId, ParentProcessCreationTime = ProcessCreationTime, ToolFileName = FileName, ToolFolderPath = FolderPath, ToolCommandLine = ProcessCommandLine, ToolProcessId = ProcessId, ToolProcessCreationTime = ProcessCreationTime, ToolInitiatingProcessId = InitiatingProcessId, ToolInitiatingProcessCreationTime = InitiatingProcessCreationTime, ToolInitiatingProcessFileName = InitiatingProcessFileName, ToolInitiatingProcessCommandLine = InitiatingProcessCommandLine ) on $left.DeviceId == $right.DeviceId and $left.InitiatingProcessId == $right.ParentProcessId and $left.InitiatingProcessCreationTime == $right.ParentProcessCreationTime; // Grandparent (often cpan/cpanm or perl running CPAN) let ShellsWithAncestors = ShellsWithParent | join kind=leftouter ( Proc | project DeviceId, GPProcessId = ProcessId, GPProcessCreationTime = ProcessCreationTime, GPFileName = FileName, GPFolderPath = FolderPath, GPCommandLine = ProcessCommandLine ) on $left.DeviceId == $right.DeviceId and $left.ToolInitiatingProcessId == $right.GPProcessId and $left.ToolInitiatingProcessCreationTime == $right.GPProcessCreationTime // Keep cases indicating CPAN involvement | where ToolFileName in ("cpan","cpanm") or ToolCommandLine matches regex cpan_regex or coalesce(GPFileName, "") in ("cpan","cpanm") or coalesce(GPCommandLine, "") matches regex cpan_regex or (ToolFileName =~ "perl" and ToolCommandLine matches regex cpan_regex) or (coalesce(GPFileName, "") =~ "perl" and coalesce(GPCommandLine, "") matches regex cpan_regex) | project TimeGenerated, DeviceName, AccountName, ShellFileName = FileName, ShellCommandLine = ProcessCommandLine, ToolFileName, ToolCommandLine, CpanAncestorFile = GPFileName, CpanAncestorCmd = GPCommandLine | order by TimeGenerated desc; ShellsWithAncestors // Optional: identify which tool most commonly spawns shells in this context // | summarize ShellLaunches = count(), ExampleShellCmds = make_set(ShellCommandLine, 3) by DeviceName, ToolFileName, ToolCommandLine // | order by ShellLaunches desc