gpt-5-mini-high

let Keywords = dynamic(["tcp","metric","metrics","cache","mcache","route","-i","-s","-I","--metrics","ss -i","ss -I","ip route","ip -s","netstat -s","netstat -i"]); let CommandFilters = (cmd:string){ cmd =~ cmd }; union isfuzzy=true DeviceProcessEvents ,DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) | extend Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine) | where Cmd has_any ("ip","ss","netstat") // filter for keywords indicating TCP metric/cache/metrics | where Cmd has_any ("tcp", "metric", "metrics", "cache", "mcache", "route", "-i", "-s", "--metrics", "-I", "-i=") // exclude invocations that explicitly target loopback interfaces or 127.0.0.1 | where not(Cmd has " lo" or Cmd has " lo:" or Cmd has "\"lo\"" or Cmd has "127.0.0.1" or Cmd has "::1") | extend Utility = extract(@"(^|\s)([^/\s]+)(?:$|\s)", 2, Cmd) | extend Utility = iif(isempty(Utility), file_name_simplified=tolower(tostring(split(Cmd, ' ')[0])), tolower(Utility)) | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, ProcessId, Cmd, Utility, InitiatingProcessFileName, FileName, ActionType | summarize count(), SampleCmds = make_set(Cmd, 10) by Utility, DeviceName, DeviceId | order by count_ desc | limit 50

// Find files created by rundll32.exe using COMSVCS.DLL that likely dumped svchost.exe memory into Temp union isfuzzy=true (DeviceFileEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where InitiatingProcessFileName has_cs "rundll32.exe" or InitiatingProcessFileName has_cs "rundll32" | where InitiatingProcessCommandLine has_cs "COMSVCS.DLL" or InitiatingProcessCommandLine has_cs "comsvcs.dll" | where FolderPath has_cs "\\Temp" or FileName has_cs "tmp" or FileName has_cs ".dmp" or FileName has_cs ".tmp" | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountName, AdditionalFields ) | union (DeviceEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where ActionType has_cs "FileCreated" or ActionType has_cs "Created" or Type has_cs "File" or FileName != "" | where InitiatingProcessFileName has_cs "rundll32.exe" or InitiatingProcessCommandLine has_cs "COMSVCS.DLL" or ProcessCommandLine has_cs "COMSVCS.DLL" | where FolderPath has_cs "\\Temp" or FileName has_cs "tmp" or FileName has_cs ".dmp" or FileName has_cs ".tmp" | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountName, AdditionalFields ) | where isnotempty(FileName) and (FileName endswith ".dmp" or FileName endswith ".tmp" or FolderPath has_cs "\\Temp") | extend FullPath = strcat(FolderPath, "\\", FileName) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Occurrences=count(), any_InitiatingProcessCommandLine=any(InitiatingProcessCommandLine), any_InitiatingProcessFileName=any(InitiatingProcessFileName) by DeviceName, FullPath, FileName, FolderPath, FileSize | where any_InitiatingProcessCommandLine has_cs "COMSVCS.DLL" or any_InitiatingProcessCommandLine has_cs "comsvcs.dll" | order by FirstSeen desc | take 50

// Detect netsh wlan show profile ... key=clear usage in process creation logs let pattern = @"netsh\s+wlan\s+show\s+profile|key=clear"; // Search DeviceProcessEvents (recommended) and DeviceEvents for redundancy DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d))..now()) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern | extend matched = iff(tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern, 1, 0) | where matched == 1 | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId | union ( DeviceEvents | where TimeGenerated between (startofday(ago(7d))..now()) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCreationTime=ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ) | sort by TimeGenerated desc | distinct DeviceName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain, TimeGenerated | take 100

// Search for common Linux service enumeration commands across process events and device events let service_patterns = dynamic([ "systemctl list-units", "systemctl --type=service", "systemctl status", "service --status-all", "ls /etc/init.d", "chkconfig --list", "svcs -a", "rcsvcs -a", "systemctl list-units --type=service", "service --status-all 2>&1", "systemctl --all", "systemctl --type=service --all", "systemctl list-unit-files", "systemctl --failed" ]); // DeviceProcessEvents (recommended for process command lines) let dpe = DeviceProcessEvents | where TimeGenerated >= ago(30d) | where isnotempty(ProcessCommandLine) | where FileName has_any ("systemctl","service","chkconfig","svcs","rcsvcs","ls","systemctl") | where array_length(service_patterns) == array_length(service_patterns) or true | where ( ProcessCommandLine has "systemctl" or ProcessCommandLine has "service --status-all" or ProcessCommandLine has "/etc/init.d" or ProcessCommandLine has "chkconfig" or ProcessCommandLine has "svcs -a" or ProcessCommandLine has "rcsvcs -a" ) | extend Command = ProcessCommandLine, Account = tostring(AccountName) | project TimeGenerated, DeviceName, FileName, ProcessId, Command, Account, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime, ReportId, TenantId ; // DeviceEvents may also contain process command lines let de = DeviceEvents | where TimeGenerated >= ago(30d) | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_any ("systemctl","service","chkconfig","svcs","rcsvcs","/etc/init.d","ls /etc/init.d") | extend Command = ProcessCommandLine, Account = tostring(AccountName) | project TimeGenerated, DeviceName, FileName, ProcessId, Command, Account, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime, ReportId, TenantId ; // Union results and deduplicate by Command + Device + ProcessId union dpe, de | sort by TimeGenerated desc | extend match = case( Command has "systemctl", "systemctl", Command has "service --status-all", "service", Command has "/etc/init.d", "init.d", Command has "chkconfig", "chkconfig", Command has "svcs", "svcs", Command has "rcsvcs", "rcsvcs", Command has "launchctl", "launchctl", "other") | summarize FirstSeenUtc = min(TimeGenerated), LastSeenUtc = max(TimeGenerated), count() by Command, DeviceName, FileName, ProcessId, Account, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by LastSeenUtc desc | project LastSeenUtc, FirstSeenUtc, DeviceName, FileName, ProcessId, Account, Command, InitiatingProcessFileName, InitiatingProcessCommandLine, count_ | take 200

union isfuzzy=true DeviceProcessEvents, DeviceEvents | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(cmd) | extend cmd_l = tolower(cmd) // Look for commands commonly used to list TCP connections | where cmd_l matches regex @"\bnetstat\b" or cmd_l matches regex @"\bss\b" or cmd_l matches regex @"\blsof\b" or cmd_l contains "/proc/net/tcp" | extend utility = case( cmd_l matches regex @"\bnetstat\b", "netstat", cmd_l matches regex @"\bss\b", "ss", cmd_l matches regex @"\blsof\b", "lsof", cmd_l contains "/proc/net/tcp", "/proc/net/tcp", "other") | project TimeGenerated, DeviceName, DeviceId, AccountName, FileName, ProcessId, utility, cmd | order by TimeGenerated desc

union DeviceProcessEvents, DeviceEvents | extend cmd = tolower(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "")) // Filter for common ways to list ARP neighbors/cache: arp.exe (arp -a), Get-NetNeighbor / Get-NetIPNeighbor, and netsh neighbor show | where cmd contains "arp" or cmd contains "get-netneighbor" or cmd contains "get-netipneighbor" or (cmd contains "netsh" and (cmd contains "neighbor" or cmd contains "show neighbors")) | extend matched = case( cmd contains "get-netneighbor" or cmd contains "get-netipneighbor", "Get-NetNeighbor", cmd contains "arp", "arp.exe", cmd contains "netsh" and (cmd contains "neighbor" or cmd contains "show neighbors"), "netsh neighbors", "other") | project TimeGenerated, ProcessCreationTime, DeviceName, AccountName, FileName, ProcessId, InitiatingProcessId, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, matched | order by ProcessCreationTime desc

union isfuzzy=true DeviceProcessEvents, DeviceEvents | where (tolower(FileName) contains "powershell" or tolower(FileName) contains "pwsh" or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh") // Look for common PSRemoting enabling commands | where ( tolower(ProcessCommandLine) contains "enable-psremoting" or tolower(ProcessCommandLine) contains "winrm quickconfig" or tolower(ProcessCommandLine) contains "set-item wsman" or tolower(ProcessCommandLine) contains "enable-wsmancredssp" or tolower(ProcessCommandLine) contains "enable-pssessionconfiguration" ) // Restrict to elevated sessions (token elevation or high integrity) | where ( tolower(ProcessTokenElevation) contains "elev" or tolower(InitiatingProcessTokenElevation) contains "elev" or tolower(ProcessIntegrityLevel) contains "high" or tolower(InitiatingProcessIntegrityLevel) contains "high" ) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine, ProcessTokenElevation, InitiatingProcessTokenElevation, ReportId, _ResourceId | sort by TimeGenerated desc | take 100

union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents | extend PCmd = tostring(ProcessCommandLine), IPcmd = tostring(InitiatingProcessCommandLine) | extend PCmdL = tolower(PCmd), IPcmdL = tolower(IPcmd) // look for Format-Hex (PowerShell) and evidence of DOS device/raw volume access (\\.\ or physicaldrive) | where (PCmdL contains "format-hex" or PCmdL contains "formathex" or IPcmdL contains "format-hex" or IPcmdL contains "formathex") and (PCmdL contains "\\\\.\\" or IPcmdL contains "\\\\.\\" or PCmdL contains "physicaldrive" or IPcmdL contains "physicaldrive") | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = PCmd, InitiatingProcessCommandLine = IPcmd, ReportId, SourceSystem | sort by TimeGenerated desc | take 100

DeviceNetworkEvents | where RemotePort == 445 | where tolower(tostring(InitiatingProcessFileName)) contains "powershell" | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine | extend CmdLine = tostring(InitiatingProcessCommandLine) // capture known SMB/test cmdlets first, otherwise fall back to the first verb-noun token | extend KnownCmdlet = extract(@"(?i)\b(Test-NetConnection|Test-Connection|New-SmbMapping|Get-SmbConnection|Get-SmbShare|New-PSDrive|Test-Path|Invoke-Command|net use)\b", 1, CmdLine) | extend FirstVerbNoun = extract(@"(?i)\b([a-z]+-[a-z0-9]+)\b", 1, CmdLine) | extend Cmdlet = iif(isnotempty(KnownCmdlet), KnownCmdlet, FirstVerbNoun) | where isnotempty(Cmdlet) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleDevice = any(DeviceName), SampleInitiatingProcessId = any(InitiatingProcessId), SampleCommandLine = any(CmdLine), RemoteIPs = make_set(RemoteIP, 20) by Cmdlet | order by Count desc

// Identify Linux devices (adjust OSPlatform/OSDistribution checks as needed) let linuxDevices = DeviceInfo | where isnotempty(OSPlatform) and tolower(OSPlatform) has "linux" | distinct DeviceId; // Find file events for those devices and compute previous observed size (prev event or AdditionalFields.PreviousFileSize) let hits = DeviceFileEvents | where DeviceId in (linuxDevices) | order by DeviceId, FolderPath, FileName, TimeGenerated asc | serialize | extend previous_file_size_field = tolong(AdditionalFields["PreviousFileSize"]) | extend prev_event_file_size = prev(FileSize) | extend prevSize = coalesce(prev_event_file_size, previous_file_size_field) | where isnotempty(prevSize) and FileSize - prevSize == 1 | project TimeGenerated, DeviceName, DeviceId, FolderPath, FileName, prevSize, FileSize, delta = FileSize - prevSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, ActionType, AdditionalFields; // Summary: which initiating utilities/command-lines caused the 1-byte padding hits | summarize occurrences = count(), firstSeen = min(TimeGenerated), lastSeen = max(TimeGenerated) by InitiatingProcessFileName, InitiatingProcessCommandLine | order by occurrences desc | limit 50

union withsource=SourceTable DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceLogonEvents | extend CommandLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine)) | where isnotempty(CommandLine) // Normalize whitespace for matching | where CommandLine matches regex @"(?i)\bcmdkey(?:\.exe)?\b.*\b(?:/|-)list\b|\bcmdkey(?:\.exe)?\b.*\blist\b" | project TimeGenerated, SourceTable, DeviceName, AccountName, InitiatingProcessAccountName, FileName = coalesce(FileName, InitiatingProcessFileName), ProcessId, InitiatingProcessId, CommandLine | summarize Count = count(), LatestTime = max(TimeGenerated), Devices = make_set(DeviceName, 100), Users = make_set(AccountName, 100), SourceTables = make_set(SourceTable) by CommandLine | order by LatestTime desc | project ExactCommand = CommandLine, Count, LatestTime, Devices, Users, SourceTables

let cmdSources = ( DeviceProcessEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | project Timestamp, DeviceName, FileName, ProcessId, CmdLine, InitiatingProcessFileName ) | union ( DeviceEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | project Timestamp, DeviceName, FileName, ProcessId, CmdLine, InitiatingProcessFileName ); cmdSources | where isnotempty(CmdLine) | where (FileName has_cs "cmd.exe") or (InitiatingProcessFileName has_cs "cmd.exe") or tolower(CmdLine) contains "cmd.exe" | where tolower(CmdLine) contains "ping" | where (tolower(CmdLine) contains "for /l" or tolower(CmdLine) contains "for /f" or tolower(CmdLine) contains "for %") | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Examples=make_set(CmdLine, 20) by DeviceName, FileName, ProcessId | mv-expand Examples | project DeviceName, FileName, ProcessId, PingSweepCommandLine=Examples, FirstSeen, LastSeen | order by FirstSeen desc

// PowerShell processes used to enumerate network connections DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe' or ProcessCommandLine has 'powershell' or ProcessCommandLine has 'pwsh' // Look for common cmdlets and commands used to list TCP connections | where ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "Get-NetTCPStatistics", "Get-NetAdapter", "netstat", "ss -t", "Get-NetConnectionProfile", "Get-NetIPConnection") | extend MatchedCommand = case( ProcessCommandLine has "Get-NetTCPConnection", "Get-NetTCPConnection", ProcessCommandLine has "netstat", "netstat", ProcessCommandLine has "ss -t", "ss -t", ProcessCommandLine has "Get-NetUDPEndpoint", "Get-NetUDPEndpoint", ProcessCommandLine has "Get-NetTCPStatistics", "Get-NetTCPStatistics", ProcessCommandLine has "Get-NetConnectionProfile", "Get-NetConnectionProfile", ProcessCommandLine has "Get-NetIPConnection", "Get-NetIPConnection", "other") | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, AccountName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine | order by LastSeen desc, Count desc | project FirstSeen, LastSeen, Count, DeviceName, AccountName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine

union isfuzzy=true DeviceFileEvents, DeviceEvents | where ( tolower(coalesce(FolderPath, "")) startswith "/var/spool/cron/crontabs" or tolower(coalesce(FileName, "")) contains "/var/spool/cron/crontabs" or tostring(AdditionalFields) contains "/var/spool/cron/crontabs" ) | where ( tolower(coalesce(ActionType, "")) contains "creat" or tolower(coalesce(ActionType, "")) contains "write" or tolower(coalesce(ActionType, "")) contains "modif" ) | extend FolderPathLower = tolower(coalesce(FolderPath, "")), FileNameStr = tostring(FileName) // Build a full path: if FileName is already an absolute path use it, otherwise prefix FolderPath | extend FullPath = iff(FileNameStr startswith "/", FileNameStr, strcat(FolderPathLower, "/", FileNameStr)) | extend AddedFile = extract(@'([^/]+)$', 1, FullPath) | project TimeGenerated, DeviceName, AccountName, ActionType, FullPath, AddedFile, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Devices = dcount(DeviceName), DeviceList = make_set(DeviceName, 20) by AddedFile, FullPath | order by LastSeen desc | take 200

let events = union isfuzzy=true DeviceProcessEvents, DeviceEvents; events | extend cmd_raw = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(cmd_raw) | extend cmd = tolower(tostring(cmd_raw)), file = tolower(tostring(FileName)), ipfile = tolower(tostring(InitiatingProcessFileName)) // look for schtasks as the creator (file name or in the commandline) and signs of a PowerShell task being created | where file contains "schtasks" or ipfile contains "schtasks" or cmd contains "schtasks" | where cmd contains "powershell" or cmd contains ".ps1" or cmd contains "/tr" or cmd contains "/create" // extract the first non-space token that ends with .ps1 (may include surrounding quotes) | extend ps1_raw = extract(@"(?i)(\S+\.ps1)", 1, cmd) | where isnotempty(ps1_raw) // remove surrounding single or double quotes if present | extend ps1 = trim("'\"", tostring(ps1_raw)) // summarize distinct scripts and provide examples for triage | summarize Devices = make_set(DeviceName), Count = count(), SampleCommand = any(cmd_raw), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ps1 | order by Count desc

// Search for executions that indicate scheduled-task creation/registration DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // Look for known scheduling utilities / patterns and PowerShell cmdlets/flags used to create tasks | where ProcessCommandLine has_any ("schtasks","/create","/Create","Register-ScheduledTask","New-ScheduledTask","-AtLogon","-AtStartup","schtasks.exe","at ") or FileName has_any ("schtasks","at","powershell","pwsh") | extend exe = tolower(tostring(FileName)), cmd = tostring(ProcessCommandLine) | summarize Count = count(), SampleCommands = make_list(cmd, 10), SampleDevices = make_list(DeviceName, 10) by exe | order by Count desc // (Optional) If you want raw events for deeper triage, uncomment the block below: // DeviceProcessEvents // | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // | where ProcessCommandLine has_any ("schtasks","/create","/Create","Register-ScheduledTask","New-ScheduledTask","-AtLogon","-AtStartup","schtasks.exe","at ") // or FileName has_any ("schtasks","at","powershell","pwsh") // | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine // | order by TimeGenerated desc

union isfuzzy=true ( DeviceEvents | where SourceSystem == "Linux" or DeviceName has "linux" or tostring(AdditionalFields) has "systemd" or ProcessCommandLine has "systemctl" or ProcessCommandLine has "systemd" ), ( DeviceProcessEvents | where SourceSystem == "Linux" or DeviceName has "linux" or tostring(AdditionalFields) has "systemd" or ProcessCommandLine has "systemctl" or ProcessCommandLine has "systemd" ) // build a searchable raw message from common fields and any embedded Message in AdditionalFields | extend raw = strcat( tostring(AdditionalFields), " ", extractjson("$.Message", tostring(AdditionalFields)), " ", ProcessCommandLine, " ", FileName, " ", ActionType ) // narrow to likely systemd timer related lines | where raw has_any ("timer", ".timer", "systemd", "started", "starting", "enabled", "created symlink", "loaded", "activated", "triggered") // try multiple extraction patterns for timer unit names | extend TimerName = coalesce( extract(@"([\w\-\.\@]+\.timer)", 1, raw), extract(@"Unit\s+([\w\-\.\@]+)\.timer", 1, raw), extract(@"Started\s+([\w\-\.\@]+)\.timer", 1, raw), extract(@"Created symlink.*?([^/\s]+\.timer)", 1, raw) ) | extend lraw = tolower(raw) | extend Action = case( lraw contains "enabled" or lraw contains "created symlink" or lraw contains "symlink", "Enabled/Linked", lraw contains "started" or lraw contains "starting", "Started", lraw contains "loaded", "Loaded", lraw contains "activated" or lraw contains "triggered", "Activated", "Other" ) | where isnotempty(TimerName) | project TimeGenerated, DeviceName, DeviceId, TimerName, Action, raw, SourceSystem, ReportId | sort by TimeGenerated desc | distinct TimeGenerated, DeviceName, DeviceId, TimerName, Action, raw, SourceSystem, ReportId | take 200

let food_regex = @"(?i)\b(cookie|cookies|cake|honey|donut|donuts|doughnut|biscuit|biscuits|apple|pear|cheese|bacon|burger|sandwich|salad|soup|banana|orange|grape|cherry|muffin)\b"; let recon_keywords = dynamic(["sharphound","bloodhound","invoke-sharphound","invoke-bloodhound","adfind","nbtscan","nmap","masscan","recon-ng","ldapsearch","get-domain","get-ad","get-net","get-aduser","get-adcomputer","find-ad","invoke-aclscanner","invoke-sharefinder","get-localuser","get-localgroup","net user","net group"]); // Combine relevant sources into a common shape ( DeviceProcessEvents | project TimeGenerated, Source = "DeviceProcessEvents", DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId, ReportId ) | union ( DeviceEvents | project TimeGenerated, Source = "DeviceEvents", DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId = InitiatingProcessId, ReportId ) | union ( DeviceFileEvents | project TimeGenerated, Source = "DeviceFileEvents", DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessCommandLine = InitiatingProcessCommandLine, ProcessId = InitiatingProcessId, ReportId ) | extend lcCmd = tolower(tostring(ProcessCommandLine)), lcFile = tolower(tostring(FileName)) // Filter to likely reconnaissance activity or food-named functions | where (isnotempty(lcCmd) and lcCmd has_any (recon_keywords)) or (isnotempty(lcFile) and lcFile has_any (recon_keywords)) or (isnotempty(lcCmd) and lcCmd matches regex food_regex) // Extract possible function/collector names and any food word | extend FoodMatch = extract(food_regex, 1, lcCmd) | extend InvokedFunction = extract(@"(?i)\b(invoke-[\w-]+)", 1, lcCmd) | extend CollectionMethods = extract(@"(?i)(?:-c\s+|--collectionmethod(?:=|\s+)?|-collectionmethod\s+|--collectors(?:=|\s+)?|-collectors\s+)\s*([a-z0-9,]+)", 1, lcCmd) | extend OtherCollectorFlags = extract(@"(?i)(?:--?collector[s]?\s*=?\s*)([a-z0-9,]+)", 1, lcCmd) // Choose the most relevant function name (food word preferred) | extend DeducedFunction = case( isempty(FoodMatch) == false, FoodMatch, isempty(CollectionMethods) == false, CollectionMethods, isempty(OtherCollectorFlags) == false, OtherCollectorFlags, isempty(InvokedFunction) == false, InvokedFunction, "" ) | project TimeGenerated, Source, DeviceName, Account, FileName, ProcessId, ProcessCommandLine, DeducedFunction, FoodMatch, InvokedFunction, CollectionMethods, OtherCollectorFlags, ReportId | order by TimeGenerated desc | take 200

let suspiciousRegex = @"(?i)\/(e\b|s\b|q\b|off\b|k\b|c\b)"; union DeviceProcessEvents, DeviceEvents | where tolower(InitiatingProcessFileName) has "cmd" and (tolower(FileName) == "taskmgr.exe" or tolower(ProcessCommandLine) has "taskmgr") | extend InitiatingCommand = tostring(InitiatingProcessCommandLine), TargetCmd = tostring(ProcessCommandLine) | extend SuspiciousFlagFound = (InitiatingCommand matches regex suspiciousRegex) or (TargetCmd matches regex suspiciousRegex) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingCommand, FileName, TargetCmd, ProcessId, InitiatingProcessId, SuspiciousFlagFound | sort by SuspiciousFlagFound desc, TimeGenerated desc | limit 100

let CmdletRegex = @"(?i)\b((?:get-process|get-wmiobject|get-ciminstance|gwmi|tasklist(?:\.exe)?|\bGet-Process\b|\bGet-WmiObject\b|\bGet-CimInstance\b|\bgwmi\b|\btasklist\b|\bwin32_process\b)[^;|&\r\n]*)"; union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields.CommandLine), tostring(AdditionalFields.commandline), tostring(AdditionalFields.CommandLineText)) | where isnotempty(CmdLine) and CmdLine has_cs "powershell" | where CmdLine matches regex CmdletRegex | extend MatchedCmd = extract(CmdletRegex, 1, CmdLine) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExampleCmd = any(MatchedCmd), ExampleFullCmd = any(CmdLine) by DeviceName, AccountName, FileName, ProcessId, ReportId | sort by LastSeen desc | project FirstSeen, LastSeen, Count, DeviceName, AccountName, FileName, ProcessId, ReportId, ExampleCmd, ExampleFullCmd | take 1000

// Identify scripts downloaded from GitHub raw URLs via curl/wget piped to bash let github_raw_patterns = dynamic(["raw.githubusercontent.com", "raw.githubusercontent.com", "raw.github.com","githubusercontent.com"]); let curl_wget_filter = (s:string) { s has "curl" and s has "|" and s has "bash" or s has "wget" and (s has "-O-" or s has "-qO-" or s has "-O -") and s has "|" and s has "bash" }; // Search DeviceProcessEvents (preferred) and DeviceEvents let procEvents = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where curl_wget_filter(ProcessCommandLine) or curl_wget_filter(InitiatingProcessCommandLine) | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend RemoteUrl = extract(@"((https?://)[^\s'\|]+raw[^\s'\|]+|https?://[^\s'\|]+raw\.githubusercontent\.com[^\s'\|]+|https?://[^\s'\|]*raw\.githubusercontent\.com[^\s'\|]+|https?://raw\.githubusercontent\.com[^\s'\|]+|https?://raw\.githubusercontent\.com[^\s'\|]+)", 1, CmdLine) | extend RemoteUrl = iff(isempty(RemoteUrl), extract(@"https?://[^\s'\|]+githubusercontent\.com[^\s'\|]+", 0, CmdLine), RemoteUrl) | extend ScriptName = trim_end(@"/", tostring(parse_url(RemoteUrl).Path)) | extend ScriptName = replace_regex(ScriptName, @"^.*/", "") | project TimeGenerated, DeviceName, ProcessId, ProcessCreationTime, FileName, CmdLine, RemoteUrl, ScriptName ; let devEvents = DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | where curl_wget_filter(ProcessCommandLine) or curl_wget_filter(InitiatingProcessCommandLine) | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend RemoteUrl = extract(@"https?://[^\s'\|]+(raw\.githubusercontent\.com|raw\.github\.com|rawgithubusercontent)\/[^\s'\|]+", 0, CmdLine) | extend RemoteUrl = iff(isempty(RemoteUrl), extract(@"https?://[^\s'\|]+githubusercontent\.com[^\s'\|]+", 0, CmdLine), RemoteUrl) | extend ScriptName = trim_end(@"/", tostring(parse_url(RemoteUrl).Path)) | extend ScriptName = replace_regex(ScriptName, @"^.*/", "") | project TimeGenerated, DeviceName, ProcessId=InitiatingProcessId, ProcessCreationTime=InitiatingProcessCreationTime, FileName=InitiatingProcessFileName, CmdLine, RemoteUrl, ScriptName ; // Combine and return distinct script names with sample evidence procEvents | union devEvents | where isnotempty(RemoteUrl) | summarize count(), Samples = make_list(pack_all(), 10) by ScriptName | order by count_ desc | project ScriptName, Count = count_, Samples

union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents | extend ProcFile = tostring(coalesce(FileName, InitiatingProcessFileName)), CmdLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields["CommandLine"]))) | where isnotempty(ProcFile) and tolower(ProcFile) endswith "cmd.exe" | where isnotempty(CmdLine) and ( tolower(CmdLine) contains "tasklist" or tolower(CmdLine) contains "wmic" or tolower(CmdLine) contains "get-process" or tolower(CmdLine) contains "powershell" or tolower(CmdLine) contains "pslist" ) | extend DetectedTool = case( tolower(CmdLine) contains "tasklist", "tasklist", tolower(CmdLine) contains "wmic", "wmic", tolower(CmdLine) contains "get-process" or tolower(CmdLine) contains "powershell", "PowerShell (Get-Process)", tolower(CmdLine) contains "pslist", "Sysinternals PsList", "unknown" ) | project TimeGenerated, DeviceName, AccountName = coalesce(AccountName, InitiatingProcessAccountName), ProcFile, CmdLine, DetectedTool | sort by TimeGenerated desc | take 100

// Find Linux process creations where awk uses a BEGIN rule to launch a shell // Search both DeviceProcessEvents and DeviceEvents (some environments populate either table) let src = union DeviceProcessEvents, DeviceEvents; src | where isnotempty(ProcessCommandLine) // Narrow to commands that call awk and include a BEGIN clause | where tolower(ProcessCommandLine) contains "awk" and tolower(ProcessCommandLine) contains "begin" // Look for common indicators of launching a shell from awk: system/exec, explicit /bin/sh or /bin/bash, piping to a shell, getline usage | where ( tolower(ProcessCommandLine) contains "system" or tolower(ProcessCommandLine) contains "exec(" or tolower(ProcessCommandLine) contains "/bin/sh" or tolower(ProcessCommandLine) contains "/bin/bash" or tolower(ProcessCommandLine) contains "|/bin" or tolower(ProcessCommandLine) contains "getline" ) // Also include entries that match a broader regex for patterns like: awk 'BEGIN{system("/bin/sh")}' or ProcessCommandLine matches regex "(?i)\\bawk\\b.*BEGIN.*system\\s*\\(" | project TimeGenerated, DeviceName, DeviceId, AccountName, ProcessId, ProcessCreationTime, FileName, CommandLine=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | distinct TimeGenerated, DeviceName, DeviceId, AccountName, ProcessId, ProcessCreationTime, FileName, CommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | take 100

let linuxDevices = DeviceInfo | where tolower(OSPlatform) has "linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) // look for common group-enumeration commands or reads of /etc/group | where tolower(ProcessCommandLine) has_any ("getent", "/etc/group", "groups", "id -g", "id -G") | extend tool = case( tolower(ProcessCommandLine) contains "getent", "getent", tolower(ProcessCommandLine) contains "cat /etc/group" or tolower(ProcessCommandLine) contains "/etc/group", "cat /etc/group", tolower(ProcessCommandLine) contains "groups", "groups", tolower(ProcessCommandLine) contains "id -g" or tolower(ProcessCommandLine) contains "id -G" or tolower(FileName) == "id", "id", "other") // flag whether this event queried the system group database (getent group) | extend queried_system_group_db = iff(tool == "getent" or tolower(ProcessCommandLine) has "getent group", true, false) | project TimeGenerated, DeviceName, DeviceId, FileName, ProcessId, CreatedProcessSessionId, InitiatingProcessFileName, InitiatingProcessId, ProcessCommandLine, tool, queried_system_group_db | order by TimeGenerated asc

let history_files = dynamic([".bash_history", ".zsh_history", ".sh_history", ".history", "fish_history"]); let cmd_indicators = dynamic(["/dev/null", "ln -s", "ln -f", "ln ", "unlink ", "rm ", "cat ", "tee ", "dd ", "> /dev/null", ">/dev/null", "history -c", "shred", "truncate"]); // Process executions that reference /dev/null or history files let proc_hits = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_any(cmd_indicators) or ProcessCommandLine has_any(history_files) | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, ProcessId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessCreationTime; // File events touching common history filenames (helps catch symlink/hardlink actions) let file_hits = DeviceFileEvents | where FileName in (".bash_history", ".zsh_history", ".sh_history", ".history", "fish_history") | where ActionType has_any ("Deleted", "Created", "Modified", "HardlinkCreated", "SymlinkCreated", "Renamed", "Overwritten", "Overwrite") or tostring(AdditionalFields) has "/dev/null" | project TimeGenerated, DeviceName, DeviceId, AccountName = RequestAccountName, AccountDomain = RequestAccountDomain, ProcessId = InitiatingProcessId, InitiatingProcessId = InitiatingProcessParentId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine = InitiatingProcessCommandLine, ProcessCreationTime = InitiatingProcessCreationTime, FileName, FolderPath, ActionType, AdditionalFields; union isfuzzy=true proc_hits, file_hits | extend matched_devnull = (tolower(tostring(ProcessCommandLine)) contains "/dev/null") or (tostring(AdditionalFields) contains "/dev/null") | extend suspect_utility = case( tolower(ProcessCommandLine) contains " ln" or tolower(ProcessCommandLine) startswith "ln", "ln", tolower(ProcessCommandLine) contains "unlink", "unlink", tolower(ProcessCommandLine) contains " rm" or tolower(ProcessCommandLine) startswith "rm", "rm", tolower(ProcessCommandLine) contains " cat" or tolower(ProcessCommandLine) startswith "cat", "cat", tolower(ProcessCommandLine) contains " tee" or tolower(ProcessCommandLine) startswith "tee", "tee", tolower(ProcessCommandLine) contains " dd" or tolower(ProcessCommandLine) startswith "dd", "dd", tolower(ProcessCommandLine) contains "shred", "shred", tolower(ProcessCommandLine) contains "truncate", "truncate", tolower(ProcessCommandLine) contains "history -c", "history -c", "other") | where matched_devnull or suspect_utility != "other" | summarize event_count = count(), first_time = min(TimeGenerated), last_time = max(TimeGenerated), sample_commands = make_set(tostring(ProcessCommandLine), 10), sample_initiators = make_set(tostring(InitiatingProcessFileName), 10), sample_additional = make_set(tostring(AdditionalFields), 5), actions = make_set(tostring(ActionType), 5) by DeviceName, DeviceId, AccountName, AccountDomain, FileName, suspect_utility | order by last_time desc // When you run this query, expand the sample_commands and sample_initiators to inspect the exact command lines and parent processes. Look specifically for commands such as: ln -s /dev/null ~/.bash_history, ln -f /dev/null ~/.bash_history, unlink ~/.bash_history, rm ~/.bash_history, or cat /dev/null > ~/.bash_history. If you find a matching entry, the suspect_utility column will indicate which utility was likely used.

union DeviceProcessEvents, DeviceEvents | where isnotempty(ProcessCommandLine) // normalize to lower for simpler matching | extend cmd = tolower(ProcessCommandLine) // look for explicit PowerShell history clearing commands or file removals/overwrites of the PSReadLine/ConsoleHost history file | where ( cmd contains "clear-history" or cmd contains "set-psreadlineoption" or cmd contains "psreadline" or cmd contains "consolehost_history" or cmd contains "consolehost_history.txt" or cmd contains "historysavestyle" or cmd contains "maximumhistorycount" or cmd contains "clear-host" or (cmd contains "remove-item" and (cmd contains "psreadline" or cmd contains "consolehost_history" or cmd contains "consolehost_history.txt")) or cmd matches regex "\\b(del|erase|remove-file|rm|remove)\\b.*(consolehost_history|consolehost_history.txt|psreadline)" or cmd matches regex "set-psreadlineoption\\s+.*(historysavestyle|maximumhistorycount)" ) | extend MatchedPattern = case( cmd matches regex "clear-history", "Clear-History", cmd matches regex "set-psreadlineoption", "Set-PSReadLineOption", cmd matches regex "psreadline|consolehost_history", "PSReadLine/ConsoleHost_history", cmd matches regex "remove-item", "Remove-Item", cmd matches regex "\\b(del|erase|rm|remove-file|remove)\\b", "Delete/Truncate File", "Other" ) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, ProcessCommandLine, MatchedPattern, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | take 500