gpt-5-mini-low

let ps_regex = @"(?i)(?:-encodedcommand|-e)\s+([A-Za-z0-9+/=]+)"; // looks for -EncodedCommand or -e with base64 let dotnet_regex = @"(?i)(?:Convert::FromBase64String|Convert\.FromBase64String|FromBase64String|System\.Text\.Encoding|Text\.Encoding)"; DeviceProcessEvents | where Timestamp between (startofday(ago(7d)) .. now()) | where FileName has_any ('powershell.exe','pwsh.exe','powershell_ise.exe') or ProcessCommandLine has_any('-encodedcommand','-e','FromBase64String','Convert.FromBase64String','FromBase64String') | extend Cmd = tostring(ProcessCommandLine), InitiatingCmd = tostring(InitiatingProcessCommandLine) | where Cmd has '-EncodedCommand' or Cmd has ' -e ' or Cmd has 'FromBase64String' or InitiatingCmd has '-EncodedCommand' or InitiatingCmd has '-e' or InitiatingCmd has 'FromBase64String' | extend EncodedMatch = extract(ps_regex, 1, Cmd), EncodedInInitiator = extract(ps_regex, 1, InitiatingCmd) | extend HasDotNetDecode = iff(Cmd matches regex dotnet_regex or InitiatingCmd matches regex dotnet_regex, 1, 0) | project Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine=Cmd, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine=InitiatingCmd, EncodedMatch, EncodedInInitiator, HasDotNetDecode | where isnotempty(EncodedMatch) or isnotempty(EncodedInInitiator) or HasDotNetDecode==1 | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), count() by DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, FileName, ProcessId, ProcessCommandLine, AccountName | order by FirstSeen desc

// Search for invocations of Credential Manager utilities that list stored credentials // Common ways: cmdkey.exe /list, rundll32.exe keymgr.dll, or rundll32.exe with arguments to show saved credentials let cmdnames = dynamic(["cmdkey.exe","rundll32.exe","keymgr.dll","control.exe","credwiz.exe"]); DeviceProcessEvents | where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe") // also include rundll32 with keymgr.dll in command line | where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials") | extend Cmd = strcat(FileName, " ", ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd | union ( DeviceEvents | where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe") | where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials") | extend Cmd = strcat(FileName, " ", ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd ) | order by TimeGenerated desc | distinct Cmd, DeviceName, DeviceId, TimeGenerated, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine | top 50 by TimeGenerated

// Find dd processes that read from /proc/*/mem and capture destination file name let dd_procs = DeviceProcessEvents | where isnotempty(ProcessCommandLine) // Look for dd commands reading from /proc/<pid>/mem or /proc/*/mem and redirecting to a file | where ProcessCommandLine has 'dd' and (ProcessCommandLine has '/proc/' and ProcessCommandLine has 'mem') | extend dd_from = tostring(extract(@"(if=\s*[^\s]+|if=\S+)", 1, ProcessCommandLine)) | extend dd_to = tostring(extract(@"(of=\s*[^\s]+|of=\S+|>\s*\S+)", 1, ProcessCommandLine)) | extend dd_to = replace(@"^of=", "", dd_to) | extend dd_to = trim(" ", replace(@">", "", dd_to)) | extend dd_from = trim(" ", replace(@"if=", "", dd_from)) | extend proc_pid = tostring(extract(@"/proc/(\d+)/mem", 1, ProcessCommandLine)) | project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, dd_from, dd_to, proc_pid; // Also look in DeviceEvents and DeviceFileEvents for file creation/writes by processes named dd or with cmdline containing dd let file_writes = ( DeviceEvents | where isnotempty(InitiatingProcessFileName) or isnotempty(InitiatingProcessCommandLine) | where (InitiatingProcessFileName == 'dd' or InitiatingProcessCommandLine has ' dd ') or (FileName has '.' ) | where ActionType in ('FileCreated','FileWritten','FileModified','FileCreated') | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ) | union ( DeviceFileEvents | where isnotempty(InitiatingProcessFileName) or isnotempty(InitiatingProcessCommandLine) | where (InitiatingProcessFileName == 'dd' or InitiatingProcessCommandLine has ' dd ') or (FileName has '.' ) | where ActionType in ('FileCreated','FileWritten','FileModified') | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ); // Join dd processes to file writes by time and device and process id if available dd_procs | join kind=leftouter (file_writes) on DeviceName | where isempty(proc_pid) or proc_pid == tostring(InitiatingProcessId) or ProcessCommandLine has tostring(InitiatingProcessId) | project TimeGenerated=coalesce(TimeGenerated, TimeGenerated1), DeviceName, ProcessId, ProcessCommandLine, dd_from, dd_to, FileName, FolderPath, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine | summarize any(dd_to), any(FileName), any(FolderPath), any(InitiatingProcessCommandLine) by DeviceName, ProcessId, ProcessCommandLine, dd_from | extend DumpedFile = coalesce(any_dd_to, any_FileName, any_FolderPath) | project DeviceName, ProcessId, ProcessCommandLine, dd_from, DumpedFile | where isnotempty(DumpedFile) | distinct DeviceName, ProcessId, ProcessCommandLine, dd_from, DumpedFile | take 100

let targetPorts = dynamic([445]); let psNames = dynamic(['powershell.exe','pwsh.exe']); DeviceNetworkEvents | where RemotePort in (targetPorts) and Protocol =~ 'TCP' | where InitiatingProcessFileName in (psNames) or InitiatingProcessFileName has 'powershell' or InitiatingProcessFileName has 'pwsh' | project NetTime = TimeGenerated, DeviceName, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, RemoteIP, RemotePort, Protocol | join kind=leftouter ( DeviceProcessEvents | where FileName in (psNames) or FileName has 'powershell' or ProcessCommandLine has 'powershell' | project ProcTime = TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, AccountName = InitiatingProcessAccountName, FileName ) on DeviceName, $left.InitiatingProcessId == $right.ProcessId | extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | project Time = NetTime, DeviceName, RemoteIP, RemotePort, Protocol, InitiatingProcessFileName, CmdLine, InitiatingProcessAccountName | where CmdLine has_any ('Test-NetConnection','Test-Connection','New-SmbMapping','Test-SmbPath','New-Object System.Net.Sockets.TcpClient','Test-Path') | distinct Time, DeviceName, RemoteIP, RemotePort, Protocol, InitiatingProcessFileName, CmdLine, InitiatingProcessAccountName | order by Time desc

// Search DeviceProcessEvents and DeviceEvents for python3 starting an http server on port 9090 under /tmp let lookback = 30d; let pythonPatterns = dynamic(["python3","python","/usr/bin/python3","/usr/bin/python"]); let httpModuleRegex = @"(?i)\b-m\s+http\.server\b|\bSimpleHTTPServer\b|\bhttp\.server\b|python\s+-m\s+http"; // Helper to normalize fields from both tables let procs = ( DeviceProcessEvents | where TimeGenerated >= ago(lookback) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend Cmd = coalesce(ProcessCommandLine, strcat(FileName, " ", tostring(ProcessId))) | extend SourceTable = "DeviceProcessEvents", ProcTime = ProcessCreationTime | project TimeGenerated, ProcTime, DeviceName, DeviceId, ProcessId, FileName, Cmd, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, SourceTable ); let events = ( DeviceEvents | where TimeGenerated >= ago(lookback) | where ActionType == "ProcessCreated" or ActionType == "CreateProcess" | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend Cmd = coalesce(ProcessCommandLine, strcat(FileName, " ", tostring(ProcessId))) | extend SourceTable = "DeviceEvents", ProcTime = ProcessCreationTime | project TimeGenerated, ProcTime, DeviceName, DeviceId, ProcessId, FileName, Cmd, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, SourceTable ); procs | union events | where tolower(Cmd) contains "python" // ensure python invocations | where (Cmd matches regex httpModuleRegex) or Cmd contains "9090" or Cmd contains ":9090" or Cmd contains "port 9090" or Cmd contains "--bind" and Cmd contains "9090" | where Cmd contains "/tmp" or Cmd contains "tmp/" or InitiatingProcessCommandLine contains "/tmp" or InitiatingProcessCommandLine contains "tmp/" | extend MatchedHttp = extract(@"(-m\s+http\.server\b.*?|http\.server.*?|SimpleHTTPServer.*?|\b\d{2,5}\b)", 1, Cmd) | extend FullCommand = trim('"', Cmd) | project ProcTime = coalesce(ProcTime, TimeGenerated), TimeGenerated, DeviceName, DeviceId, ProcessId, FileName, FullCommand, MatchedHttp, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, SourceTable | order by ProcTime desc | take 50

let lookback = 1h; // adjust if needed; time range should normally be set by the caller // Collect relevant file events DeviceFileEvents | where isnotempty(FileSize) and isnotempty(FileName) | extend FileKey = strcat(DeviceId, "|", FolderPath, "|", FileName) | sort by FileKey asc, TimeGenerated asc | serialize | extend PrevFileKey = prev(FileKey), PrevTimeGenerated = prev(TimeGenerated), PrevFileSize = prev(FileSize), PrevInitiatingProcessFileName = prev(InitiatingProcessFileName), PrevInitiatingProcessCommandLine = prev(InitiatingProcessCommandLine), PrevInitiatingProcessId = prev(InitiatingProcessId), PrevInitiatingProcessAccountName = prev(InitiatingProcessAccountName) // Only consider consecutive records for the same file | where FileKey == PrevFileKey // Size increased by exactly one byte | where FileSize == PrevFileSize + 1 // Optional: only consider quick modifications (within lookback) | where TimeGenerated - PrevTimeGenerated <= lookback | extend TimeDelta = TimeGenerated - PrevTimeGenerated | extend InitiatingProc = coalesce(InitiatingProcessFileName, InitiatingProcessCommandLine), PrevInitiatingProc = coalesce(PrevInitiatingProcessFileName, PrevInitiatingProcessCommandLine) // Attempt to identify the utility used for padding by checking common tool names in current or previous initiating process fields | extend LikelyUtility = case( tolower(InitiatingProc) contains "truncate", InitiatingProc, tolower(InitiatingProc) contains "dd", InitiatingProc, tolower(InitiatingProc) contains "echo", InitiatingProc, tolower(InitiatingProc) contains "printf", InitiatingProc, tolower(InitiatingProc) contains "fallocate", InitiatingProc, tolower(InitiatingProc) contains "sed", InitiatingProc, tolower(InitiatingProc) contains "awk", InitiatingProc, tolower(InitiatingProc) contains "python", InitiatingProc, tolower(InitiatingProc) contains "perl", InitiatingProc, tolower(PrevInitiatingProc) contains "truncate", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "dd", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "echo", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "printf", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "fallocate", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "sed", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "awk", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "python", PrevInitiatingProc, tolower(PrevInitiatingProc) contains "perl", PrevInitiatingProc, "Unknown") | project TimeGenerated, DeviceName, DeviceId, FolderPath, FileName, PrevFileSize, FileSize, TimeDelta, InitiatingProcessId = InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, PrevInitiatingProcessId, PrevInitiatingProcessFileName, PrevInitiatingProcessCommandLine, PrevInitiatingProcessAccountName, LikelyUtility | order by TimeGenerated desc | take 200

// Look for processes originating from AppData (not System32) that appear to be PowerShell or copies of it DeviceProcessEvents | where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "system32") // Indicators of PowerShell or a PowerShell binary renamed/maliciously placed in AppData | where ( tolower(ProcessVersionInfoOriginalFileName) has "powershell" or tolower(ProcessVersionInfoInternalFileName) has "powershell" or tolower(FileName) has_any ("powershell","pwsh") or tolower(ProcessCommandLine) has_any ("powershell","pwsh","-enc","-encodedcommand","-nop","-noninteractive","-w hidden","-windowstyle hidden") ) | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, SHA256, MD5 | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), AnyCommandLines = make_set(ProcessCommandLine, 5), AnyInitiators = make_set(InitiatingProcessFileName, 5) by DeviceName, FileName, FolderPath, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, SHA256, MD5 | order by LastSeen desc | take 50

let srcRegex = @"(?i)\\\\[^\\]+\\C\$\\"; let destRegex = @"(?i)(%temp%|\$env:TEMP|\\Temp\\|\\Users\\[^\\]+\\AppData\\Local\\Temp\\)"; union DeviceProcessEvents, DeviceEvents | extend Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(Cmd) | where (FileName has "powershell" or Cmd has "powershell" or Cmd has "pwsh") | where Cmd matches regex srcRegex and Cmd matches regex destRegex | project TimeGenerated = coalesce(Timestamp, TimeGenerated), DeviceName, Account = coalesce(InitiatingProcessAccountName, AccountName), ProcessFileName = FileName, ProcessId, CommandLine = Cmd | order by TimeGenerated desc

// Find PowerShell commands that reference lsass or procdump and extract invoked .ps1 script names let ps_cmds = DeviceProcessEvents | where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" // look for signs of lsass memory dumping or a script invocation | where ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "procdump" or ProcessCommandLine has_cs ".ps1" | extend ScriptName = extract(@"(?i)([^\\\/\s]+\.ps1)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, ScriptName; // Find PowerShell-launched .ps1 files (file events) let ps_files = DeviceFileEvents | where FileName endswith_cs ".ps1" and (InitiatingProcessFileName has_cs "powershell" or InitiatingProcessCommandLine has_cs "powershell") | extend ScriptName = FileName | project FileTimeGenerated = TimeGenerated, DeviceName, ScriptName, FolderPath, FileOriginUrl, InitiatingProcessCommandLine; // Correlate and show results ps_cmds | join kind=leftouter (ps_files) on DeviceName, ScriptName | project TimeGenerated, FileTimeGenerated, DeviceName, AccountName, ScriptName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, FileOriginUrl | order by TimeGenerated desc | where isnotempty(ScriptName) | take 50

// Investigate fake cron-like processes on Linux and find the actual filename used by the fake cron binary let lookback = 14d; let legit_paths = dynamic(["/usr/sbin/cron","/usr/bin/cron","/sbin/cron","/bin/cron"]); // Candidate process events that mention cron in file name or command line let SuspiciousProcs = DeviceProcessEvents | where TimeGenerated >= ago(lookback) // Best-effort Linux filter: unix-like FolderPath or DeviceName containing linux | where isnotempty(FolderPath) and FolderPath contains "/" or tolower(DeviceName) has "linux" | where tolower(FileName) has "cron" or tolower(ProcessCommandLine) has "cron" or tolower(ProcessCommandLine) has "crond" | extend observed_name = FileName, observed_cmd = ProcessCommandLine, observed_path = iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, "/", FileName), tostring(FileName)) // exclude processes running from known legit cron paths | where not( tolower(observed_path) startswith tolower(legit_paths[0]) or tolower(observed_path) startswith tolower(legit_paths[1]) or tolower(observed_path) startswith tolower(legit_paths[2]) or tolower(observed_path) startswith tolower(legit_paths[3]) ) | project ProcTime=TimeGenerated, DeviceName, ProcessId, observed_name, observed_cmd, observed_path, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, MD5; // File events that could indicate creation/deployment of the fake cron binary let FileCreates = DeviceFileEvents | where TimeGenerated >= ago(lookback) | where ActionType has_any ("Create","Created","Copy","Copied","Move","Moved","Write","Written") | where tolower(FileName) has "cron" or tolower(FolderPath) has "cron" or tolower(PreviousFileName) has "cron" or tolower(PreviousFolderPath) has "cron" | project FileTime=TimeGenerated, FileDeviceName=DeviceName, FileName, FolderPath, PreviousFileName, PreviousFolderPath, MD5, SHA256, FileOriginUrl, FileOriginIP, ActionType; // Join processes to file create events on device and within a time window (1 hour before/after process start) SuspiciousProcs | join kind=leftouter ( FileCreates ) on $left.DeviceName == $right.FileDeviceName | where FileTime between (ProcTime - 1h .. ProcTime + 1h) or isnull(FileTime) | extend creation_time = coalesce(FileTime, ProcTime) | project creation_time, DeviceName, ProcessId, observed_name, observed_path, observed_cmd, FileName, FolderPath, PreviousFileName, PreviousFolderPath, ActionType, MD5 = coalesce(MD5, SHA256), SHA256, FileOriginUrl, FileOriginIP | distinct DeviceName, ProcessId, observed_name, observed_path, observed_cmd, FileName, FolderPath, PreviousFileName, PreviousFolderPath, ActionType, MD5, SHA256, FileOriginUrl, FileOriginIP, creation_time | sort by creation_time desc | take 500

// Find cmd.exe-based ping sweeps using looping constructs let loopPingRegex = @"(?i)\bfor\b.*\bping\b|\bping\b.*\bfor\b"; // Primary: process creation events (best fidelity) let proc = DeviceProcessEvents | where FileName has_cs "cmd.exe" or ProcessCommandLine has_cs "cmd.exe" | where isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex loopPingRegex | project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, CommandLine = ProcessCommandLine; // Supplementary: other device events that may contain process command lines let dev = DeviceEvents | where (FileName has_cs "cmd.exe") or (ProcessCommandLine has_cs "cmd.exe") or (InitiatingProcessFileName has_cs "cmd.exe") | extend ProcessId = coalesce(ProcessId, InitiatingProcessId), CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(CommandLine) and CommandLine matches regex loopPingRegex | project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, CommandLine; union isfuzzy=true proc, dev | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices=make_set(DeviceName), Users=make_set(AccountName), Count=count(), PIDs=make_set(ProcessId) by CommandLine | order by FirstSeen desc | project FirstSeen, LastSeen, Count, Devices, Users, PIDs, CommandLine | take 100 // NOTE: TimeGenerated/time range is applied by the caller/environment. If needed, add an explicit where TimeGenerated between(...) filter.

let powershellNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let networkIndicators = dynamic(["Get-NetTCPConnection","Get-NetUDPEndpoint","Get-NetTCPStatistics","Get-NetIPStatistics","Get-NetIPAddress","Get-NetConnectionProfile","Get-NetTCPInfo","netstat","Get-NetTCP*","Get-Net*Connection","Get-Net*TCP","Get-Net*UDP"]); // Helper: search DeviceProcessEvents (and DeviceEvents) for PowerShell and likely network enumeration commands union isfuzzy=true ( DeviceProcessEvents | where FileName in (powershellNames) or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" | extend CommandLine = tostring(ProcessCommandLine), EventSource = "DeviceProcessEvents", Time = TimeGenerated ), ( DeviceEvents | where FileName in (powershellNames) or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), EventSource = "DeviceEvents", Time = TimeGenerated ) | where isnotempty(CommandLine) // Focus on command lines that contain likely network enumeration indicators | where CommandLine matches regex @"(?i)\b(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStatistics|Get-NetIPStatistics|Get-NetIPAddress|Get-NetConnectionProfile|Get-NetTCPInfo|netstat)\b" | extend Matched = extract(@"(?i)\b(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStatistics|Get-NetIPStatistics|Get-NetIPAddress|Get-NetConnectionProfile|Get-NetTCPInfo|netstat)\b", 1, CommandLine) // Normalize common variations | extend Matched = case(tolower(Matched)=="netstat","netstat", tostring(Matched)) | extend Matched = iif(isempty(Matched), "unknown", Matched) | project Time, DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, AccountName, AccountDomain, CommandLine, Matched, EventSource | summarize Count = count(), SampleCommandLine = any(CommandLine), ExampleTime = min(Time) by Matched, DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, AccountName, AccountDomain | order by Count desc | take 100

// Query to find when built-in utilities were used to list ARP cache (arp.exe, netsh show neighbors, Get-NetNeighbor) // Timerange should be set by the caller; uncomment/adjust the where Timestamp >= ago(...) line if needed. let arp_regex = @"(?i)\barp(\.(exe))?\b(\s+(-a|-g|/a|/g)\b)?"; let netsh_neighbors_regex = @"(?i)\bnetsh\b.*\b(interface|ip|ipv4)\b.*\b(show)\b.*\b(neighb|neighbors|arp)\b"; let get_netneighbor_regex = @"(?i)\bGet-NetNeighbor\b|\bGet\-NetNeighbor\b|\bGetNeighbors\b"; // Preferred: DeviceProcessEvents DeviceProcessEvents // | where Timestamp >= ago(30d) // set timerange externally | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend cmd = tostring(ProcessCommandLine), exe = tolower(tostring(FileName)) | where cmd matches regex arp_regex or cmd matches regex netsh_neighbors_regex or cmd matches regex get_netneighbor_regex or exe contains "arp" | extend MatchedCommand = iff(cmd matches regex arp_regex, extract(arp_regex, 0, cmd), iff(cmd matches regex netsh_neighbors_regex, extract(netsh_neighbors_regex, 0, cmd), iff(cmd matches regex get_netneighbor_regex, extract(get_netneighbor_regex, 0, cmd), exe))) | summarize arg_max(Timestamp, *) by ProcessId | project Timestamp, DeviceName, AccountName, AccountDomain = AccountDomain, ProcessId, FileName, ProcessCommandLine = cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedCommand | union ( DeviceEvents // | where Timestamp >= ago(30d) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend cmd = tostring(ProcessCommandLine), exe = tolower(tostring(FileName)) | where cmd matches regex arp_regex or cmd matches regex netsh_neighbors_regex or cmd matches regex get_netneighbor_regex or exe contains "arp" | extend MatchedCommand = iff(cmd matches regex arp_regex, extract(arp_regex, 0, cmd), iff(cmd matches regex netsh_neighbors_regex, extract(netsh_neighbors_regex, 0, cmd), iff(cmd matches regex get_netneighbor_regex, extract(get_netneighbor_regex, 0, cmd), exe))) | summarize arg_max(Timestamp, *) by ReportId, ProcessId | project Timestamp, DeviceName, AccountName, AccountDomain = AccountDomain, ProcessId, FileName, ProcessCommandLine = cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedCommand ) | order by Timestamp desc | where isnotempty(MatchedCommand)

// Find netsh wlan show profile(s) commands and explicit key=clear usage across DeviceProcessEvents and DeviceEvents let netsh_pattern = @"\bnetsh\s+wlan\s+show\s+(profile|profiles)\b"; let keyclear_pattern = @"key\s*[:=]\s*clear|keyclear|key=clear"; // Primary: DeviceProcessEvents let dpe = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine matches regex netsh_pattern or ProcessCommandLine matches regex keyclear_pattern | extend SourceTable = "DeviceProcessEvents", CommandLine = ProcessCommandLine | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, ProcessIntegrityLevel, CommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable; // Fallback: DeviceEvents (check both process and initiating process commandlines) let de = DeviceEvents | where (isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine)) | extend CandidateCommand = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where CandidateCommand matches regex netsh_pattern or CandidateCommand matches regex keyclear_pattern | extend SourceTable = "DeviceEvents", CommandLine = CandidateCommand | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, ProcessTokenElevation, CommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable; // Union results, extract SSIDs and annotate matches (dpe) | union (de) | extend MatchedNetsh = CommandLine matches regex netsh_pattern, MatchedKeyClear = CommandLine matches regex keyclear_pattern | where MatchedNetsh or MatchedKeyClear | extend SSIDs = extract_all('profile\\s+name\\s*=\\s*\"([^\"]+)\"', CommandLine) | extend SSIDs = iif(array_length(SSIDs) > 0, strcat_array(SSIDs, ", "), "") | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, CommandLine, SSIDs, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable | sort by TimeGenerated desc | take 200

// Find base64 decoding commands on Linux that write output to a file, then find executions of the decoded script let decode_patterns = dynamic(["base64 -d","base64 --decode","openssl base64 -d","openssl enc -base64 -d","python -m base64","python -c 'import base64'","perl -MMIME::Base64","ruby -e 'require \"base64\"'","/usr/bin/base64","/bin/base64"]); // Identify Linux devices let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName; // Decoder commands: attempts to extract output filename let decoders = DeviceProcessEvents | where DeviceId in (linuxDevices | distinct DeviceId) | where ProcessCommandLine has_any (decode_patterns) | extend OutFileRedirect = extract(@"(?:>>|>)\s*([^;&|>\s]+)", 1, ProcessCommandLine) | extend OutFileDashO = extract(@"-o\s+([^\s]+)", 1, ProcessCommandLine) | extend OutFileDashDash = extract(@"--output=([^\s]+)", 1, ProcessCommandLine) | extend OutFileOut = extract(@"-out\s+([^\s]+)", 1, ProcessCommandLine) | extend OutFile = coalesce(OutFileRedirect, OutFileDashO, OutFileDashDash, OutFileOut) | extend SrcB64 = extract(@"([^\s]+\.(?:b64|base64|b64txt|bin))", 1, ProcessCommandLine) | extend DecodedFile = OutFile | project DecodeTime = TimeGenerated, DeviceId, DeviceName, DecodingProcessFile = InitiatingProcessFileName, DecodingProcessCommandLine = ProcessCommandLine, DecodedFile, SrcB64, DecodingProcessId = ProcessId; // Possible executions let executions = DeviceProcessEvents | where DeviceId in (linuxDevices | distinct DeviceId) | project ExecTime = TimeGenerated, DeviceId, DeviceName, ExecFileName = FileName, ExecProcessCommandLine = ProcessCommandLine, ExecProcessId = ProcessId; // Join decoders to executions within 1 hour and attempt to match by filename or basename decoders | where isnotempty(DecodedFile) or isnotempty(SrcB64) | join kind=leftouter ( executions ) on DeviceId | where ExecTime between (DecodeTime .. DecodeTime + 1h) | extend DecodedBase = iif(isnotempty(DecodedFile), tostring(split(DecodedFile, "/")[-1]), "") | extend SrcBaseNoExt = iif(isnotempty(SrcB64), replace_regex(SrcB64, "\\.(?:b64|base64|b64txt|bin)$", ""), "") | where ( (isnotempty(DecodedFile) and (ExecProcessCommandLine contains DecodedFile or ExecProcessCommandLine contains DecodedBase or ExecFileName contains DecodedBase)) or (isnotempty(SrcB64) and (ExecProcessCommandLine contains SrcBaseNoExt or ExecFileName contains SrcBaseNoExt)) ) | project DecodeTime, DeviceName, DecodingProcessFile, DecodingProcessCommandLine, DecodedFile, DecodedBase, SrcB64, ExecTime, ExecFileName, ExecProcessCommandLine | order by DecodeTime desc | take 50

let TimeWindow = 5m; let ScriptIndicators = dynamic([".ps1",".bat",".cmd",".vbs",".js","powershell.exe","C:\\Users\\"]); // Registry writes that set ImagePath under Services let svcReg = DeviceRegistryEvents | where RegistryKey has_cs "\\Services\\" and RegistryValueName == "ImagePath" | where ( RegistryValueData has_any (".ps1", ".bat", ".cmd", ".vbs", ".js") or tolower(RegistryValueData) contains "powershell.exe" or RegistryValueData contains "C:\\Users\\" ) | project DeviceId, DeviceName, ServiceKey = RegistryKey, ImagePath = RegistryValueData, RegTime = TimeGenerated, RegInitiatingProcessFileName = InitiatingProcessFileName, RegInitiatingProcessCommandLine = InitiatingProcessCommandLine; // Candidate processes that can create or modify services let svcCreators = DeviceProcessEvents | where ( (ProcessCommandLine has_cs "sc.exe" and ProcessCommandLine has_cs "create") or (ProcessCommandLine has_cs "sc create") or (ProcessCommandLine has_cs "reg.exe" and ProcessCommandLine has_cs "add") or (ProcessCommandLine has_cs "reg add") or (ProcessCommandLine has_cs "New-Service") or (ProcessCommandLine has_cs "InstallUtil") or (ProcessCommandLine has_cs "nssm.exe") or (ProcessCommandLine has_cs "sdset") or (ProcessCommandLine has_cs "sc config") ) | extend ProcFile = tostring(FileName), ProcCommandLine = tostring(ProcessCommandLine), ProcTime = TimeGenerated | project DeviceId, DeviceName, ProcFile, ProcCommandLine, ProcTime, ProcessId; // Correlate by device and time svcReg | join kind=leftouter (svcCreators) on DeviceId | where abs(RegTime - ProcTime) <= TimeWindow | summarize Count = count(), AnyImagePath = any(ImagePath), AnyServiceKey = any(ServiceKey), AnyRegInitiatingProcessFileName = any(RegInitiatingProcessFileName), AnyRegInitiatingProcessCommandLine = any(RegInitiatingProcessCommandLine), ProcFiles = make_set(ProcFile), ProcCmds = make_set(ProcCommandLine) by DeviceId, DeviceName | extend InvokedUtilities = strcat_array(ProcFiles, ", ") | project DeviceId, DeviceName, Count, AnyServiceKey, AnyImagePath, AnyRegInitiatingProcessFileName, AnyRegInitiatingProcessCommandLine, InvokedUtilities, ProcCmds | order by Count desc | take 50 // also show direct registry initiators for entries with no matching process | union ( svcReg | where isnull(RegInitiatingProcessFileName) == false | summarize DirectRegWrites = count(), ExampleImagePath = any(ImagePath) by RegInitiatingProcessFileName, RegInitiatingProcessCommandLine | order by DirectRegWrites desc | project DeviceId = "-", DeviceName = "-", Count = DirectRegWrites, AnyServiceKey = "-", AnyImagePath = ExampleImagePath, AnyRegInitiatingProcessFileName = RegInitiatingProcessFileName, AnyRegInitiatingProcessCommandLine = RegInitiatingProcessCommandLine, InvokedUtilities = RegInitiatingProcessFileName, ProcCmds = pack_array(RegInitiatingProcessCommandLine) )

let foodRegex = @"(?i)\b(cheese|ham|bacon|cookie|apple|pear|peach|grape|berry|muffin|bread|toast|steak|beef|chicken|egg|milk|donut|sugar)\b"; let proc = DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) or isnotempty(ProcessVersionInfoFileDescription) or isnotempty(ProcessVersionInfoProductName) | where ProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or ProcessVersionInfoFileDescription matches regex foodRegex or ProcessVersionInfoProductName matches regex foodRegex | project TimeGenerated, Table = "DeviceProcessEvents", DeviceName, AccountName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessVersionInfoProductName, ProcessVersionInfoFileDescription; let dev = DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) or isnotempty(AdditionalFields) | where ProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or tostring(AdditionalFields) matches regex foodRegex | project TimeGenerated, Table = "DeviceEvents", DeviceName, AccountName, ProcessId = InitiatingProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, Extra = tostring(AdditionalFields); let df = DeviceFileEvents | where isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName) or isnotempty(PreviousFileName) or isnotempty(InitiatingProcessFileName) | where InitiatingProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or PreviousFileName matches regex foodRegex or InitiatingProcessFileName matches regex foodRegex | project TimeGenerated, Table = "DeviceFileEvents", DeviceName, AccountName = InitiatingProcessAccountName, ProcessId = InitiatingProcessId, FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine; let img = DeviceImageLoadEvents | where isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName) or isnotempty(InitiatingProcessFileName) | where InitiatingProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or InitiatingProcessFileName matches regex foodRegex | project TimeGenerated, Table = "DeviceImageLoadEvents", DeviceName, AccountName = InitiatingProcessAccountName, ProcessId = InitiatingProcessId, FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine; union proc, dev, df, img | sort by TimeGenerated desc | distinct TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, Table | take 200

let network_tools = dynamic(["netstat","get-nettcpconnection","get-netudpendpoint","ipconfig","arp","route","nbtstat","ss"]); // Process creation observations let DPE = DeviceProcessEvents | where (tolower(InitiatingProcessFileName) has "cmd.exe" or tolower(InitiatingProcessFileName) has "powershell.exe" or tolower(InitiatingProcessFileName) has "pwsh.exe") | where (tolower(FileName) has_any (network_tools) or tolower(ProcessCommandLine) has_any (network_tools)) | extend Source = "DeviceProcessEvents", ObservedTime = TimeGenerated, ToolFileName = FileName, ToolCommandLine = ProcessCommandLine, ParentFileName = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, ToolPID = ProcessId, Account = AccountName; // Generic device events that may include command lines let DE = DeviceEvents | where (tolower(InitiatingProcessFileName) has "cmd.exe" or tolower(InitiatingProcessFileName) has "powershell.exe" or tolower(InitiatingProcessFileName) has "pwsh.exe") | where isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has_any (network_tools) | extend Source = "DeviceEvents", ObservedTime = TimeGenerated, ToolFileName = FileName, ToolCommandLine = ProcessCommandLine, ParentFileName = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, ToolPID = coalesce(ProcessId, InitiatingProcessId), Account = AccountName; union DPE, DE | extend DetectedTool = case( tolower(ToolFileName) has "netstat" or tolower(ToolCommandLine) has "netstat", "netstat", tolower(ToolFileName) has "ipconfig" or tolower(ToolCommandLine) has "ipconfig", "ipconfig", tolower(ToolCommandLine) has "get-nettcpconnection" or tolower(ToolCommandLine) has "get-netudpendpoint", "Get-NetTCPConnection/UDPEndpoint", tolower(ToolCommandLine) has "arp", "arp", tolower(ToolCommandLine) has "route", "route", tolower(ToolCommandLine) has "nbtstat", "nbtstat", tolower(ToolCommandLine) has "ss", "ss", "other" ) | summarize Count = count(), FirstSeen = min(ObservedTime), LastSeen = max(ObservedTime) by DeviceName, Account, ParentFileName, ParentCommandLine, ToolFileName, ToolPID, DetectedTool, Source | project DeviceName, Account, InitiatingProcess = ParentFileName, InitiatingCommandLine = ParentCommandLine, ToolFileName, DetectedTool, ToolPID, Source, FirstSeen, LastSeen, Count | order by LastSeen desc

// Find PowerShell invocations that include process listing cmdlets let powershellBinaries = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe","powershell" ,"pwsh"]); let processCmdPatterns = dynamic(["Get-Process","Get-Process\\b","Get-CimInstance\\b","Get-CimInstance","Get-WmiObject\\b","Get-WmiObject","gwmi\\b","gwmi","Get-WmiObject -Class Win32_Process","Get-CimInstance -ClassName Win32_Process","tasklist","Get-Process | Sort-Object","Get-Process -" ]); union isfuzzy=true DeviceEvents, DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // filter for PowerShell executables as the initiating process or file name | where tolower(InitiatingProcessFileName) has_any ("powershell","pwsh") or tolower(FileName) has_any ("powershell","pwsh") or tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh" or tolower(InitiatingProcessCommandLine) contains "pwsh" // combine commandline fields | extend cmd = coalesce(InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields.CommandLine, tostring(AdditionalFields.CommandLine)) | where isnotempty(cmd) // search for known process-listing cmdlets/strings | where cmd matches regex @"(?i)\b(Get-Process|Get-CimInstance|Get-WmiObject|gwmi|tasklist)\b" or cmd contains "Win32_Process" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, ProcessId, ProcessCommandLine, cmd, FileName, ActionType | extend MatchedCmdlet = extract(@"(?i)\b(Get-Process|Get-CimInstance|Get-WmiObject|gwmi|tasklist)\b", 1, cmd) | summarize Events = count(), AnyCommandLines = make_set(cmd, 50) by DeviceName, AccountName, MatchedCmdlet | order by Events desc | mv-expand AnyCommandLines | project DeviceName, AccountName, MatchedCmdlet, AnyCommandLines | top 100 by DeviceName

// Search for cmd.exe invoking commands that list processes let suspects = DeviceProcessEvents | where ProcessCommandLine has_cs "cmd.exe" or InitiatingProcessFileName has_cs "cmd.exe" | where ProcessCommandLine has_any ("tasklist","wmic process","wmic.exe","powershell -command","powershell.exe -command","powershell -c","Get-Process") | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, ProcessCreationTime; let deviceEventsMatches = DeviceEvents | where ProcessCommandLine has_cs "cmd.exe" or InitiatingProcessFileName has_cs "cmd.exe" | where ProcessCommandLine has_any ("tasklist","wmic process","wmic.exe","powershell -command","powershell.exe -command","powershell -c","Get-Process") | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName; union suspects, deviceEventsMatches | extend ExecutedTool = case( tolower(ProcessCommandLine) contains "tasklist", "tasklist", tolower(ProcessCommandLine) contains "wmic", "wmic", tolower(ProcessCommandLine) contains "get-process" or tolower(ProcessCommandLine) contains "powershell", "powershell", "other") | sort by TimeGenerated desc | distinct DeviceName, TimeGenerated, ProcessId, ExecutedTool, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | take 100

union DeviceProcessEvents, DeviceEvents, DeviceFileEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where ( tolower(FileName) contains "schtasks" or tolower(ProcessCommandLine) contains "schtasks" or tolower(FileName) contains "at.exe" or tolower(ProcessCommandLine) contains "\bat " or tolower(ProcessCommandLine) contains "register-scheduledtask" or tolower(ProcessCommandLine) contains "new-scheduledtask" or tolower(ProcessCommandLine) contains "register-scheduledtask" or tolower(ProcessCommandLine) contains "/sc onlogon" or tolower(ProcessCommandLine) contains "/sc onstart" ) | project TimeGenerated, DeviceName, Account = coalesce(AccountName, InitiatingProcessAccountName), FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | extend matched = case( tolower(FileName) contains "schtasks" or tolower(ProcessCommandLine) contains "schtasks", "schtasks.exe", tolower(FileName) contains "at.exe" or tolower(ProcessCommandLine) contains " at ", "at.exe", tolower(ProcessCommandLine) contains "register-scheduledtask" or tolower(ProcessCommandLine) contains "new-scheduledtask", "PowerShell ScheduledTask cmdlets", "other" ) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by matched, DeviceName, Account, FileName, ProcessCommandLine | order by Count desc | take 100

let linuxDevices = DeviceInfo | where isnotempty(DeviceId) | where tolower(tostring(OSPlatform)) contains "linux" or tolower(tostring(OSDistribution)) contains "linux" or tolower(tostring(OSVersionInfo)) contains "linux" | distinct DeviceId; let procEvents = union ( DeviceProcessEvents | project TimeGenerated, DeviceId, DeviceName, AccountName, AccountDomain=AccountDomain, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ReportId ), ( DeviceEvents | project TimeGenerated, DeviceId, DeviceName, AccountName, AccountDomain=AccountDomain, FileName, ProcessId=ProcessId, ProcessCreationTime=ProcessCreationTime, ProcessCommandLine=ProcessCommandLine, InitiatingProcessFileName=InitiatingProcessFileName, InitiatingProcessId=InitiatingProcessId, InitiatingProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessAccountName=InitiatingProcessAccountName, InitiatingProcessAccountDomain=InitiatingProcessAccountDomain, ReportId ); procEvents | where DeviceId in (linuxDevices) | where isnotempty(ProcessCommandLine) | extend CommandLine = trim(" '\"`", tostring(ProcessCommandLine)) | extend lcmd = tolower(CommandLine) | where lcmd contains "systemctl" or lcmd contains "service --status-all" or lcmd contains "/etc/init.d" or lcmd contains "chkconfig" or lcmd contains "initctl" or lcmd contains "list-units" or lcmd contains "list-unit-files" or lcmd contains "--type=service" or (lcmd contains "ps aux" and lcmd contains "grep") or (lcmd contains "ps -ef" and lcmd contains "grep") or lcmd contains "rc-service" or lcmd contains "rc-status" or lcmd contains "svcadm" or lcmd contains "ss -ltnp" or lcmd contains "ss -tulpn" or lcmd contains "netstat -tuln" or lcmd contains "/sbin/service" | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Devices = make_set(DeviceName, 20), DeviceIds = make_set(DeviceId, 20), Accounts = make_set(AccountName, 20), AnyProcessId = any(ProcessId), AnyFile = any(FileName), AnyInitiatingProcess = any(InitiatingProcessFileName) by CommandLine | sort by LastSeen desc | limit 500

let targetPath = "/var/spool/cron/crontabs"; let actions = dynamic(["FileCreated","Created","FileCreatedByUser","CreatedFile","Write","Written","Modify","Modified","FileModified","Change","FileWritten","Created"]); let normalizeFullPath = (folderpath:string, filename:string){ // Prefer FileName when it contains full path, else combine iif(isnotempty(filename) and filename contains "/", filename, strcat(folderpath, "/", filename)) }; let srcFile = DeviceFileEvents | where isnotempty(FolderPath) or isnotempty(FileName) | where (FolderPath contains targetPath) or (FileName contains targetPath) or (isnotempty(FileName) and FileName startswith strcat(targetPath, "/")) | where ActionType in ("FileCreated","Created","FileCreatedByUser","CreatedFile","Write","Written","Modify","Modified","FileModified","Change","FileWritten","Created") | extend FullPath = normalizeFullPath(FolderPath, FileName) | extend Parts = split(FullPath, "/") | extend CrontabFile = tostring(Parts[array_length(Parts)-1]) | project TimeGenerated, DeviceName, ActionType, CrontabFile, FullPath, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, RequestAccountName, AdditionalFields; let srcDev = DeviceEvents | where isnotempty(FolderPath) or isnotempty(FileName) | where (FolderPath contains targetPath) or (FileName contains targetPath) or (isnotempty(FileName) and FileName startswith strcat(targetPath, "/")) | where ActionType in ("FileCreated","Created","CreatedFile","Write","Written","Modify","Modified","Change","FileWritten","Created") | extend FullPath = normalizeFullPath(FolderPath, FileName) | extend Parts = split(FullPath, "/") | extend CrontabFile = tostring(Parts[array_length(Parts)-1]) | project TimeGenerated, DeviceName, ActionType, CrontabFile, FullPath, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, AdditionalFields; (srcFile) | union (srcDev) | where isnotempty(CrontabFile) and CrontabFile != "" and FullPath contains targetPath | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), Devices=make_set(DeviceName), InitiatingProcesses=make_set(InitiatingProcessFileName), InitiatingCmds=make_set(InitiatingProcessCommandLine), Accounts=make_set(coalesce(InitiatingProcessAccountName, InitiatingProcessAccountDomain, RequestAccountName)) by CrontabFile, FullPath, ActionType | order by LastSeen desc | take 500

// Identify Linux devices let linuxDevices = DeviceInfo | where OSPlatform contains "Linux" or OSDistribution contains "Linux" or OSPlatform has "linux" | distinct DeviceId, DeviceName; // File events that touch typical files used to change shells let fileMods = DeviceFileEvents | where DeviceId in (linuxDevices | distinct DeviceId) | where TimeGenerated >= ago(30d) // time range can be overwritten by external timerange | where ActionType has_any ("FileModified", "FileCreated", "FileWrite", "FileSaved", "FileTruncated", "FileUpdated", "FileDeleted", "FileRenamed") | where (tolower(FileName) in ("passwd","shadow","shells") ) or (FolderPath contains "/etc/") | extend CandidateCommand = coalesce(InitiatingProcessCommandLine, "") | project TimeGenerated, DeviceId, DeviceName, SourceTable = "DeviceFileEvents", ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessId, CandidateCommand, InitiatingProcessAccountName; // Process events that likely change shells let processMods = DeviceProcessEvents | where DeviceId in (linuxDevices | distinct DeviceId) | where TimeGenerated >= ago(30d) | extend pc = coalesce(ProcessCommandLine, ""), ipcc = coalesce(InitiatingProcessCommandLine, "") | where pc has_any ("chsh", "usermod", "-s", "/etc/passwd", "/etc/shadow", "sed -i", "awk -F", "chpasswd", "printf ", ">> /etc/passwd", "> /etc/passwd") | extend CandidateCommand = iif(isnotempty(ipcc), ipcc, pc) | project TimeGenerated=ProcessCreationTime, DeviceId, DeviceName, SourceTable = "DeviceProcessEvents", ProcessId, CandidateCommand, ProcessCommandLine=pc, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessAccountName; // Generic events table fallback let genericEvents = DeviceEvents | where DeviceId in (linuxDevices | distinct DeviceId) | where TimeGenerated >= ago(30d) | extend ce = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "") | where ce has_any ("chsh", "usermod", "/etc/passwd", "/etc/shadow", "/etc/shells", "sed -i", "awk -F", "chpasswd", "printf ") | project TimeGenerated, DeviceId, DeviceName, SourceTable = "DeviceEvents", ActionType, CandidateCommand = ce, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessAccountName; // Union and prioritize explicit initiator command line (fileMods | union processMods | union genericEvents) | extend FullCommand = trim('\"''', CandidateCommand) | where isnotempty(FullCommand) | where FullCommand has_any ("chsh", "usermod", "/etc/passwd", "/etc/shadow", "/etc/shells", "sed -i", "awk -F", "chpasswd", "printf", ">> /etc/passwd", "> /etc/passwd") | summarize arg_max(TimeGenerated, *) by tostring(DeviceId), tostring(FullCommand) | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessAccountName, FullCommand, SourceTable | order by TimeGenerated desc | take 50

DeviceProcessEvents | where FileName =~ "bash" or FileName =~ "sh" or FileName has_any ("getent", "groupmems", "members", "gpasswd", "cat") or ProcessCommandLine has "/etc/group" // capture shells and known utilities | extend SessionId = coalesce(CreatedProcessSessionId, InitiatingProcessSessionId, ProcessId, InitiatingProcessId) | summarize FirstProcess=min(ProcessCreationTime), any_DeviceName=any(DeviceName) by SessionId, InitiatingProcessAccountName, InitiatingProcessId | join kind=inner ( DeviceProcessEvents | extend SessionId = coalesce(CreatedProcessSessionId, InitiatingProcessSessionId, ProcessId, InitiatingProcessId) | where FileName has_any ("getent", "groupmems", "members", "gpasswd", "cat") or ProcessCommandLine has "/etc/group" or ProcessCommandLine has "getent" or ProcessCommandLine has "group" or ProcessCommandLine has "members" | project TimeGenerated, DeviceName, ProcessCreationTime, ProcessId, ProcessCommandLine, FileName, FolderPath, InitiatingProcessAccountName, SessionId ) on SessionId | where ProcessCreationTime >= FirstProcess and ProcessCreationTime <= FirstProcess + 1h | summarize arg_min(ProcessCreationTime, *) by SessionId | project SessionId, DeviceName, ProcessCreationTime, FileName, ProcessId, ProcessCommandLine, InitiatingProcessAccountName | order by ProcessCreationTime asc

// Detect WMI-based process enumeration via command-line indicators let wmi_regex = @"\b(wmic|wmic.exe|get-wmiobject|get-ciminstance|get-ciminstance|gwmi|invoke-wmimethod)\b"; union isfuzzy=true ( DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend sourceTable = "DeviceProcessEvents" ), ( DeviceEvents | where ActionType has "Process" or ActionType has "Create" or ActionType has "ProcessCreated" | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | extend sourceTable = "DeviceEvents" ) | extend cmd_l = tolower(cmd) | where cmd_l matches regex wmi_regex or cmd_l contains "win32_process" or cmd_l contains "select * from" or cmd_l contains "/node:" or cmd_l contains "/namespace:" or cmd_l contains "-class win32_process" or cmd_l contains "-query" or cmd_l contains "process list" | project TimeGenerated, ProcessCreationTime = coalesce(ProcessCreationTime, InitiatingProcessCreationTime, TimeGenerated), DeviceName, FileName, ProcessId, InitiatingProcessId, AccountName, InitiatingProcessAccountName, cmd, sourceTable, ReportId | sort by ProcessCreationTime desc | take 500

// Detect PowerShell-driven FTP exfiltration and identify the executable used for exfiltration let ftp_regex = "(?i)(ftp://|\\bftp\\b|ftps://|\\bSTOR\\b|\\bPORT\\b|Invoke-WebRequest|Invoke-RestMethod|WebClient|UploadFile\\(|System\\.Net\\.FtpWebRequest|ftp\\.exe|\\bcurl\\b|\\bwget\\b|\\bbitsadmin\\b|\\bcertutil\\b)"; // 1) PowerShell processes that reference FTP in their commandline let ps_direct = DeviceProcessEvents | where FileName has_cs "powershell" or ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" | where tostring(ProcessCommandLine) matches regex ftp_regex | project TimeGenerated, DeviceName, AccountName, ExfiltratingExecutable = tolower(FileName), ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId; // 2) Child processes spawned by PowerShell that look like FTP/upload tools let child_procs = DeviceProcessEvents | where isnotempty(InitiatingProcessFileName) and (tolower(InitiatingProcessFileName) has "powershell" or tolower(InitiatingProcessCommandLine) has "powershell" or tolower(InitiatingProcessCommandLine) has "pwsh") | where tolower(FileName) has_any ("ftp","curl","wget","bitsadmin","certutil","ftp.exe") or tostring(ProcessCommandLine) matches regex ftp_regex | project TimeGenerated, DeviceName, AccountName, ExfiltratingExecutable = tolower(FileName), ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId; // 3) Network events likely indicating FTP (port 21 or ftp:// URLs) let network_confirm = DeviceNetworkEvents | where RemotePort == 21 or tostring(RemoteUrl) has "ftp://" or tostring(RemoteUrl) has ":21" | project NetTime = TimeGenerated, NetDeviceName = DeviceName, NetInitiatingProcessId = InitiatingProcessId, NetInitiatingProcessFileName = InitiatingProcessFileName, RemoteIP = RemoteIP, RemotePort = RemotePort, RemoteUrl = RemoteUrl; // Combine detections and validate with network events. Since join with OR is not allowed, perform two joins and union results. (ps_direct | union child_procs) | as detections | join kind=leftouter (network_confirm) on $left.ProcessId == $right.NetInitiatingProcessId | project TimeGenerated, DeviceName, AccountName, ExfiltratingExecutable, ProcessId, ProcessCommandLine, InitiatingProcessFileName, NetInitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, NetTime | union ( (ps_direct | union child_procs) | join kind=leftouter (network_confirm) on $left.InitiatingProcessId == $right.NetInitiatingProcessId | project TimeGenerated, DeviceName, AccountName, ExfiltratingExecutable, ProcessId, ProcessCommandLine, InitiatingProcessFileName, NetInitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, NetTime ) | summarize Attempts = count(), ExampleCommands = make_set(ProcessCommandLine, 5), Initiators = make_set(InitiatingProcessFileName, 5), RemoteEndpoints = make_set(coalesce(tostring(RemoteUrl), strcat(RemoteIP, ":", tostring(RemotePort))), 10) by ExfiltratingExecutable | order by Attempts desc | take 50

// Look for processes and file events that reference /dev/null or known shell history files let procMatches = DeviceProcessEvents | where ProcessCommandLine has "/dev/null" or ProcessCommandLine has ".bash_history" or ProcessCommandLine has ".zsh_history" or ProcessCommandLine has ".history" or ProcessCommandLine contains " ln " or ProcessCommandLine startswith "ln " or ProcessCommandLine contains "unlink" or ProcessCommandLine contains "tee " or ProcessCommandLine contains "cat /dev/null" or ProcessCommandLine contains "cp /dev/null" or ProcessCommandLine contains "truncate" or ProcessCommandLine contains ">/dev/null" or ProcessCommandLine contains "> /dev/null" | project TimeGenerated, Type = "Process", DeviceName, AccountName, Executable = FileName, ProcessId, CommandLine = ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine; let fileMatches = DeviceFileEvents | where FileName has ".bash_history" or FileName has ".zsh_history" or FileName has ".history" or FolderPath has "/dev" or PreviousFileName has ".bash_history" or PreviousFolderPath has "/dev" or InitiatingProcessCommandLine has "/dev/null" | project TimeGenerated, Type = "File", DeviceName, AccountName = RequestAccountName, Executable = FileName, ProcessId = InitiatingProcessId, CommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine; union procMatches, fileMatches | extend Utility = iif(isnotempty(Executable), tostring(split(Executable, "/")[-1]), tostring(split(trim(@"\n\r\t " ,CommandLine), " ")[0])) // Aggregate and show most common utilities that touched history or referenced /dev/null | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), AnyExampleCommand = any(CommandLine), AnyInitiatingProcess = any(InitiatingProcessFileName) by Utility | order by Count desc, LastSeen desc | project Utility, Count, FirstSeen, LastSeen, AnyExampleCommand, AnyInitiatingProcess

// Search for enumeration of the shells file (/etc/shells) across process and file/device events // Process events: commands that reference /etc/shells or use common read utilities let proc_hits = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has "/etc/shells" or (ProcessCommandLine has "cat" and ProcessCommandLine has "shells") or (ProcessCommandLine has "grep" and ProcessCommandLine has "shells") or (ProcessCommandLine has "less" and ProcessCommandLine has "shells") or (ProcessCommandLine has "more" and ProcessCommandLine has "shells") or (ProcessCommandLine has "awk" and ProcessCommandLine has "shells") or (ProcessCommandLine has "sed" and ProcessCommandLine has "shells") or (ProcessCommandLine has "head" and ProcessCommandLine has "shells") or (ProcessCommandLine has "tail" and ProcessCommandLine has "shells") or (ProcessCommandLine has "strings" and ProcessCommandLine has "shells") or (ProcessCommandLine has "python" and ProcessCommandLine has "shells") or (ProcessCommandLine has "perl" and ProcessCommandLine has "shells") | project TimeGenerated, DeviceName, Account = InitiatingProcessAccountName, ProcessId, ParentProcessId = InitiatingProcessParentId, ProcessCommandLine, ProcessFileName = InitiatingProcessFileName, SourceTable = "DeviceProcessEvents"; // File events: file reads or references to /etc/shells let file_hits = DeviceFileEvents | where (isnotempty(FileName) and FileName has "shells") or (isnotempty(FolderPath) and FolderPath has "/etc/shells") or (isnotempty(PreviousFileName) and PreviousFileName has "shells") or (isnotempty(AdditionalFields) and tostring(AdditionalFields) has "/etc/shells") | project TimeGenerated, DeviceName, Account = InitiatingProcessAccountName, ProcessId = InitiatingProcessId, ParentProcessId = InitiatingProcessParentId, ProcessCommandLine = InitiatingProcessCommandLine, FileName, FolderPath, ActionType, SourceTable = "DeviceFileEvents"; // Generic device events (syslog-like) that may reference /etc/shells in AdditionalFields or file fields let evt_hits = DeviceEvents | where (isnotempty(FileName) and FileName has "shells") or (isnotempty(FolderPath) and FolderPath has "/etc/shells") or (isnotempty(AdditionalFields) and tostring(AdditionalFields) has "/etc/shells") | project TimeGenerated, DeviceName, Account = AccountName, ProcessId = InitiatingProcessId, ParentProcessId = InitiatingProcessParentId, ProcessCommandLine = InitiatingProcessCommandLine, FileName, FolderPath, ActionType, SourceTable = "DeviceEvents"; // Combine, normalize and summarize for investigation proc_hits | union file_hits | union evt_hits | extend ProcessCommandLine = coalesce(ProcessCommandLine, strcat(FileName, " ", FolderPath, " ", tostring(ActionType))) | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), ExampleDevices = make_set(DeviceName, 5), ExampleCommands = make_set(ProcessCommandLine, 10), ExampleFiles = make_set(FileName, 5) by Account = coalesce(Account, "<unknown>"), SourceTable, ProcessId, ParentProcessId | order by LastSeen desc | limit 500

DeviceProcessEvents | where FileName has_cs "taskmgr" or ProcessCommandLine has_cs "taskmgr" | where InitiatingProcessFileName has_cs "cmd" or InitiatingProcessCommandLine has_cs "cmd" | extend InitiatorCmdLine = tostring(InitiatingProcessCommandLine), TargetCmdLine = tostring(ProcessCommandLine) // flag detection: look for typical slash/dash flags in the taskmgr command line or common cmd execution switches | extend TargetHasFlag = iff(TargetCmdLine matches regex @"\s/[^ \t]+" or TargetCmdLine matches regex @"\s-[^\s]+", 1, 0) | where TargetHasFlag == 1 or InitiatorCmdLine contains "/c" or InitiatorCmdLine contains "/k" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessId, InitiatorCmdLine, FileName, ProcessId, TargetCmdLine, InitiatingProcessCreationTime, ProcessCreationTime | order by TimeGenerated desc | take 200

// Search for PowerShell/WMIC activity indicative of local group enumeration via WMI let searchPatterns = dynamic(["get-wmiobject","get-ciminstance","gwmi","win32_groupuser","win32_group","\\\\win32_group","groupuser","wmic","net localgroup","get-localgroup","get-localgroupmember","directoryservices","winnt","samaccount","invoke-wmimethod","__relpath"]); // DeviceProcessEvents (detailed process data) let dpe = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where tolower(FileName) has_any ("powershell","pwsh","wmic","cmd","cscript","wscript") | where tolower(ProcessCommandLine) has_any (searchPatterns) | extend MatchedPattern = extract("(?i)(Get-WmiObject|Get-CimInstance|gwmi|Win32_GroupUser|Win32_Group|wmic|net localgroup|Get-LocalGroup|Get-LocalGroupMember|Invoke-WmiMethod|__RELPATH)", 1, ProcessCommandLine) | project TimeGenerated, Time = TimeGenerated, DeviceName, FileName, ProcessId, AccountName, AccountDomain, ProcessCommandLine, MatchedPattern, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime; // DeviceEvents (some deployments surface process execs here) let de = DeviceEvents | where isnotempty(ProcessCommandLine) | where tolower(FileName) has_any ("powershell","pwsh","wmic","cmd","cscript","wscript") | where tolower(ProcessCommandLine) has_any (searchPatterns) | extend MatchedPattern = extract("(?i)(Get-WmiObject|Get-CimInstance|gwmi|Win32_GroupUser|Win32_Group|wmic|net localgroup|Get-LocalGroup|Get-LocalGroupMember|Invoke-WmiMethod|__RELPATH)", 1, ProcessCommandLine) | project TimeGenerated, Time = TimeGenerated, DeviceName, FileName, ProcessId, AccountName, AccountDomain, ProcessCommandLine, MatchedPattern, InitiatingProcessFileName, InitiatingProcessCommandLine; union dpe, de | sort by Time desc | take 500

DeviceProcessEvents | where tolower(FileName) in ("powershell.exe","pwsh.exe") | where tostring(ProcessCommandLine) has_any ("get-wmiobject","get-ciminstance","get-cimclass","gwmi","managementobjectsearcher","select","-class","-classname","-query") | extend cmdline = tostring(ProcessCommandLine) // Try multiple case-insensitive regex patterns to extract the WMI class name | extend WmiClass = coalesce( extract(@"(?i)-ClassName\s+([A-Za-z0-9_:\.\-]+)", 1, cmdline), extract(@"(?i)-Class\s+([A-Za-z0-9_:\.\-]+)", 1, cmdline), extract(@"(?i)gwmi\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline), extract(@"(?i)get-wmiobject\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline), extract(@"(?i)\bfrom\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline), extract(@"(?i)-Query\s+select\b.*?\bfrom\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline) ) | extend WmiClass = trim('\"\' ', tostring(WmiClass)) | where isnotempty(WmiClass) | summarize Count = count(), ExampleCommand = any(cmdline), Devices = make_set(DeviceName, 10) by WmiClass | order by Count desc | project WmiClass, Count, ExampleCommand, Devices

DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_cs "wscript" // Narrow to likely script extensions used by JScript / Windows Script Host | where ProcessCommandLine has_any (".js", ".jse", ".wsf") | extend Cmd = tostring(ProcessCommandLine) // Split into arguments, trim quotes and find tokens that look like script files | extend Args = split(Cmd, ' ') | mv-expand Arg = Args to typeof(string) | extend ArgTrim = trim('"', Arg) | where ArgTrim endswith_cs '.js' or ArgTrim endswith_cs '.jse' or ArgTrim endswith_cs '.wsf' // Aggregate per process to get a single representative script path and timestamps | summarize ScriptPath = any(ArgTrim), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Hits = count() by DeviceName, DeviceId, ProcessId, InitiatingProcessFileName, ProcessCommandLine | order by LastSeen desc | project FirstSeen, LastSeen, DeviceName, DeviceId, ProcessId, InitiatingProcessFileName, ScriptPath, ProcessCommandLine, Hits | take 100