o3-high

DeviceProcessEvents | where FileName =~ "cmdkey.exe" // built-in credential manager CLI | where ProcessCommandLine has_any("/list", "/l") // listing stored credentials | project TimeGenerated, DeviceName, AccountSid, AccountName, ProcessCommandLine | summarize Executions=count() by ProcessCommandLine | order by Executions desc

let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | summarize by DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where FileName =~ "dd" | where ProcessCommandLine has "/proc/" and ProcessCommandLine has "/mem" // Pull out the destination file (first match wins) | extend DumpFilePath = coalesce( extract(@"of=([^\s]+)", 1, ProcessCommandLine), // dd if=... of=/tmp/dump extract(@">>\s*([^\s]+)", 1, ProcessCommandLine), // dd if=... >> /tmp/dump extract(@">\s*([^\s]+)", 1, ProcessCommandLine) // dd if=... > /tmp/dump ) | where isnotempty(DumpFilePath) | extend DumpFileName = tostring(split(DumpFilePath, "/")[-1]) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, DumpFilePath, DumpFileName | sort by TimeGenerated desc

DeviceFileEvents | where ActionType startswith "FileCreated" // file creation events | where tolower(InitiatingProcessFileName) == "rundll32.exe" | where tolower(InitiatingProcessCommandLine) has "comsvcs.dll" // COMSVCS DLL memory dump | where tolower(FolderPath) contains "\\temp\\" // written into a Temp directory // optional: uncomment if you only care about .dmp files // | where FileName endswith ".dmp" | project TimeGenerated, DeviceName, DumpFilePath = strcat(FolderPath, "\\", FileName), FileName, FileSize, SHA256, InitiatingProcessCommandLine | order by TimeGenerated desc // If multiple entries exist and you only need the latest per host, replace the last line with: // | summarize arg_max(TimeGenerated, *) by DeviceName

// Suspicious raw-disk read piped to a formatting cmdlet DeviceProcessEvents | where ActionType == "ProcessCreated" // process start events only | where FileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where ProcessCommandLine has "\\.\\" // DOS device path indicator | where ProcessCommandLine matches regex @"(?i)\\\.\\(PhysicalDrive|Volume|[A-Z]:)" // typical raw volume paths | where ProcessCommandLine contains_cs "Format-Hex" or ProcessCommandLine contains "format-hex" // cmdlet of interest // Pull out the cmdlet to make it explicit | extend CmdletUsed = extract(@"(?i)(Format-Hex)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, FileName, ProcessCommandLine, CmdletUsed, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, ProcessId | order by TimeGenerated desc

let LinuxDevices = DeviceInfo | where OSPlatform startswith "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) // Command reads /etc/shadow and uses a redirection operator | where ProcessCommandLine has "/etc/shadow" and ProcessCommandLine contains ">" // Running with elevated privileges | extend IsElevated = iff(tolower(AccountName) == "root" or tolower(InitiatingProcessAccountName) == "root" or tostring(ProcessTokenElevation) contains "Elevated" or tostring(ProcessTokenElevation) contains "Root", true, false) | where IsElevated // Extract the file name/path that receives the redirected output | extend RedirectedFile = trim('"\'"', tostring(extract(@"(?:>>?)\s*([^\s]+)", 1, ProcessCommandLine))) | where isnotempty(RedirectedFile) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, RedirectedFile | order by TimeGenerated desc

let ps_hosts = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let dump_keywords = dynamic(["lsass","minidump","comsvcs.dll","procdump","out-minidump"]); DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ (ps_hosts) | where ProcessCommandLine has_any (dump_keywords) | extend ScriptFile = extract(@'\S+\.ps1', 0, ProcessCommandLine) | where isnotempty(ScriptFile) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ScriptFile | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices = make_set(DeviceName, 50) by ScriptFile | order by FirstSeen asc

// 1. Locate network connections to TCP/445 that were initiated by a PowerShell process let ps445 = DeviceNetworkEvents | where RemotePort == 445 // SMB over TCP | where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") | project TimeGenerated, DeviceId, DeviceName, AccountName = InitiatingProcessAccountName, CmdLine = InitiatingProcessCommandLine, RemoteIP; // 2. Extract the PowerShell cmdlet from the command-line text ps445 | extend Cmdlet = coalesce( tostring(extract(@"(?i)(?:-Command\s+|\s|^)((?:[A-Za-z]+-)+[A-Za-z]+)",1,CmdLine)), // first verb-noun token after -Command or at beginning "<Unparsed>") | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Executions = count() by Cmdlet, DeviceName, AccountName | order by Executions desc

// Identify the IP address that a Linux host tried to ping let TimeRange = 7d; // replace in the function call // 1. Locate all devices that run Linux so we do not collect hits from Windows hosts let LinuxDevices = DeviceInfo | where OSPlatform endswith "Linux" | project DeviceId, DeviceName; // 2. Find executions of the *ping* utility on those Linux devices DeviceProcessEvents | where TimeGenerated >= ago(TimeRange) | where FileName =~ "ping" // executable name (covers ping & ping6) | join kind=inner (LinuxDevices) on DeviceId // 3. From the full command-line pull out the first non-switch argument – that is the target | extend PingTarget = extract(@"\bping(?:6)?\s+(?:-[^\s]+\s+)*([^\s]+)", 1, ProcessCommandLine) | where isnotempty(PingTarget) // 4. Keep only literal IP addresses (IPv4 or IPv6); drop host-names that may also appear | where PingTarget matches regex @"^(\d{1,3}(?:\.\d{1,3}){3})$" // IPv4 or PingTarget matches regex @"^[0-9a-fA-F:]{2,}$" // IPv6 (very loose but adequate) // 5. Summarise so you can see when the ping happened and how often | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExecCount = count() by DeviceName, PingTarget | order by LastSeen desc

// --------------- Service enumeration investigation (Linux) --------------- // 1) Identify Linux endpoints so we do not pick up Windows service-related utilities let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId; // 2) Known utilities used to enumerate services on *nix systems let svc_enum_utilities = dynamic(["systemctl","service","chkconfig","initctl","rc-service"]); // 3) Common command-line phrases that indicate the intent is *listing* services let svc_enum_phrases = dynamic([ "systemctl list", // systemd service listing "systemctl --type=service", "systemctl --all", "service --status-all", // SysV-style listing "service -e", // BusyBox variant "chkconfig --list", // RHEL/CentOS "initctl list", // Upstart "rc-service -l", // OpenRC "rc-service list" // OpenRC alternate ]); DeviceProcessEvents | where DeviceId in (LinuxDevices) // keep only Linux hosts | where ActionType == "ProcessCreated" // process start events | where FileName in~ (svc_enum_utilities) // executable of interest (case-insensitive) or ProcessCommandLine has_any (svc_enum_phrases) // or explicit enumeration flags // 4) Return the details the analyst cares about | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, // <— full command that was run InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, ProcessId, InitiatingProcessFileName, InitiatingProcessId, SHA256, ReportId | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "arp.exe" or FileName == "arp" | where ProcessCommandLine has " -a" or ProcessCommandLine has " -g" // Optional: focus only on definite process creation events (normally the table already has only those) // | where ActionType == "ProcessCreated" | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, ProcessCommandLine, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, ReportId | order by TimeGenerated asc

// Detect execution of netsh.exe used to dump Wi-Fi profiles including clear-text keys DeviceProcessEvents | where ActionType == "ProcessCreated" // netsh.exe itself | where FileName =~ "netsh.exe" // Netsh WLAN context | where ProcessCommandLine has "wlan" // Looking for either "show profile" or "export profile" usage | where (ProcessCommandLine has "show" or ProcessCommandLine has "export") | where ProcessCommandLine has "profile" // Passwords are only revealed when the "key=clear" (or "key clear") switch is used | where ProcessCommandLine has "key=clear" or ProcessCommandLine has "key clear" // Optional: surface what flavour of command we observed | extend NetshCommandType = case(ProcessCommandLine has "export", "Export profile", ProcessCommandLine has "show", "Show profile", "Other") | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, ProcessCommandLine, NetshCommandType, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, SHA256, ReportId | order by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated between (ago(7d) .. now()) // Portal/function time-range overrides this | where FileName =~ "cmd.exe" | where ProcessCommandLine has_any ("for /l", "FOR /L") | where ProcessCommandLine has "ping" | where ProcessCommandLine matches regex @"(?i)for\s+/l\s+%+[a-z0-9]+\s+in\s+\([^)]*\)\s+do\s+ping" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExecCount=count() by DeviceName, AccountName, ProcessCommandLine | order by LastSeen desc

// ---- Time window (will be overridden by the playbook) ---- let startTime = ago(24h); let endTime = now(); //------------------------------------------------------------- // 1. Identify Linux endpoints let linux_devices = DeviceInfo | where TimeGenerated between (startTime .. endTime) | where OSPlatform startswith "Linux" | project DeviceId, DeviceName; // 2. Look for process-creation events that enumerate current TCP connections DeviceProcessEvents | where TimeGenerated between (startTime .. endTime) | where ActionType == "ProcessCreated" | where DeviceId in (linux_devices) | extend cmdline = tostring(ProcessCommandLine) | where FileName in~ ("netstat", "ss", "lsof") or cmdline matches regex @"\b(netstat|ss|lsof)\b" or cmdline contains "/proc/net/tcp" // 3. Normalise the utility name | extend Utility = case( FileName =~ "netstat" or cmdline matches regex @"\bnetstat\b", "netstat", FileName =~ "ss" or cmdline matches regex @"\bss\b", "ss", FileName =~ "lsof" or (cmdline matches regex @"\blsof\b" and cmdline has "-i"), "lsof", cmdline contains "/proc/net/tcp", "cat /proc/net/tcp", "other") | where Utility != "other" // 4. Summarise so we can easily answer the question | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Executions = count(), ExampleCmdline = arg_max(TimeGenerated, cmdline) by DeviceName, Utility | order by LastSeen desc

// --- Linux one-byte file-growth detector ---------------------------- let LinuxDevices = DeviceInfo | where OSPlatform startswith "Linux" | project DeviceId, DeviceName; DeviceFileEvents | where ActionType in ("FileCreated","FileWritten","FileModified","FileContentModified") | join kind=inner (LinuxDevices) on DeviceId | extend FilePath = strcat(FolderPath, "/", FileName) | sort by DeviceId, FilePath, TimeGenerated asc | serialize // preserve the sorted order for prev() | extend PrevDeviceId = prev(DeviceId), PrevFilePath = prev(FilePath), PrevSize = prev(FileSize) | where DeviceId == PrevDeviceId and FilePath == PrevFilePath and isnotempty(PrevSize) | extend SizeDelta = FileSize - PrevSize | where SizeDelta == 1 // grew by exactly one byte // --------------------------------------------------------------------- | summarize Events = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExampleCmd = arg_max(TimeGenerated, InitiatingProcessCommandLine) by InitiatingProcessFileName | order by Events desc

// 1. Look at process start events DeviceProcessEvents | where ActionType == "ProcessCreated" // 2. Filter for command-lines that show signs of heavy obfuscation or run-time code generation // – long base64 blobs (-enc …) or FromBase64String() // – use of IEX / Invoke-Expression / Add-Type / Reflection // – very long command lines (>200 chars) | extend cmd = tostring(ProcessCommandLine) | where strlen(cmd) > 200 or cmd has "-enc" or cmd has "-encodedcommand" or cmd has "FromBase64String" or cmd has "Invoke-Expression" or cmd has "IEX(" or cmd has "Add-Type" or cmd has "System.Reflection" or cmd matches regex @"[A-Za-z0-9+/]{100,}=" // 3. Return the process name(s) that executed that payload | summarize ExampleCommandLine = any(cmd), Events = count() by FileName | sort by Events desc

// -------------------------------------------------------------------- // 1. Limit the investigation to Linux endpoints (optional but recommended) // -------------------------------------------------------------------- let LinuxDevices = DeviceInfo | where OSPlatform contains "Linux" | project DeviceId; // -------------------------------------------------------------------- // 2. Detect base64 decode commands and extract the output file path // -------------------------------------------------------------------- let Base64Decode = DeviceProcessEvents | where DeviceId in (LinuxDevices) | where (FileName =~ "base64" or ProcessCommandLine has "base64") // the utility that is being invoked | where ProcessCommandLine matches regex @"\s(-d|--decode)\b" // must have the decode switch | extend OutFilePath = trim("'\"", // try to pull the resulting script path coalesce( extract(@"(?:>\s*)(/[^ >\t\n]+)", 1, ProcessCommandLine), // echo AAA | base64 -d > /tmp/x.sh extract(@"(?:-o\s*)(/[^ >\t\n]+)", 1, ProcessCommandLine) // base64 -d -o /tmp/x.sh )) | where isnotempty(OutFilePath) | project DeviceId, DeviceName, DecodeTime = TimeGenerated, OutFilePath, DecodeCmd = ProcessCommandLine, ScriptFile = tostring(split(OutFilePath, "/")[-1]); // -------------------------------------------------------------------- // 3. Look for execution of that very same file afterwards // -------------------------------------------------------------------- let ScriptExecution = DeviceProcessEvents | where DeviceId in (LinuxDevices) | extend ExecPath = strcat(FolderPath, '/', FileName) | project DeviceId, DeviceName, ExecTime = TimeGenerated, ExecPath, ExecCmd = ProcessCommandLine, ExecFile = FileName; // -------------------------------------------------------------------- // 4. Correlate decode -> execution (within 1 h) on the same device // -------------------------------------------------------------------- Base64Decode | join kind = inner ScriptExecution on DeviceId | where ExecTime between (DecodeTime .. DecodeTime + 1h) and (ExecPath == OutFilePath or ExecCmd has OutFilePath) // executed directly or via interpreter (bash /tmp/x.sh) | summarize FirstDecode = min(DecodeTime), FirstExec = min(ExecTime) by DeviceName, ScriptFile, OutFilePath, DecodeCmd | project DeviceName, ScriptFile, FirstDecode, FirstExec, DecodeCmd | order by FirstDecode asc

// Detect PowerShell binaries that have been renamed and executed from a user's AppData folder DeviceProcessEvents | where ActionType == "ProcessCreated" // process start events only // 1. Identify files whose PE-metadata says they are PowerShell | where tolower(ProcessVersionInfoInternalFileName) == "powershell.exe" or tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" // 2. But the file on disk is not the legitimate name or path | where tolower(FileName) != "powershell.exe" // masqueraded name | where FolderPath has "\\appdata\\" // executed from the user profile | where FolderPath !has "\\windows\\system32" and FolderPath !has "\\windows\\syswow64" // 3. Surface the masquerading filename | project TimeGenerated, DeviceName, User = strcat(AccountDomain, "\\", AccountName), FileName, FolderPath, SHA256, Signed = InitiatingProcessSignatureStatus, CommandLine = ProcessCommandLine | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, FileName, FolderPath, SHA256, User, Signed | order by LastSeen desc

DeviceProcessEvents // === Time range is supplied by the calling UI / hunting blade === | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // Look for typical switches that precede a Base-64 payload (case-insensitive) | where tolower(ProcessCommandLine) has_any (" -enc", " -e ", " -encodedcommand", " -ec") // Pull out the first plausible Base-64 string that follows the switch | extend EncodedPayload = extract(@"(?i)(?:-e|-enc|-encodedcommand|/e|/enc|/encodedcommand)\s+([A-Za-z0-9+/]{20,}={0,2})", 1, ProcessCommandLine) | where isnotempty(EncodedPayload) // === ANSWER THE QUESTION === // Which executable launched the encoded-command PowerShell? | summarize EncodedExecCount = count(), ExampleDevices = make_set(DeviceName, 5) by LaunchingExecutable = InitiatingProcessFileName, LaunchingExecutablePath = InitiatingProcessFolderPath | sort by EncodedExecCount desc // ===== Raw event details (uncomment if needed) ===== // | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, EncodedPayload, // LaunchingExecutable = InitiatingProcessFileName, // LaunchingExecutablePath = InitiatingProcessFolderPath, // LaunchingProcessCommandLine = InitiatingProcessCommandLine, // InitiatingProcessCreationTime

// Scheduled Task creations that launch PowerShell scripts DeviceProcessEvents | where FileName =~ "schtasks.exe" // only creation of new tasks | where ProcessCommandLine contains "/create" // …that invoke PowerShell (Windows PowerShell or PowerShell Core) | where ProcessCommandLine has_any ("powershell", "pwsh") // pull out the script that will be executed (first token ending with .ps1) | extend PsScript = extract(@"(\S+\.ps1)", 1, ProcessCommandLine) | where isnotempty(PsScript) | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, PsScript, ProcessCommandLine | summarize Events = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by PsScript, DeviceName, DeviceId, AccountDomain, AccountName | order by LastSeen desc

// PowerShell file-copy from a remote C$ share to the local TEMP folder DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName has_cs "powershell" // powershell.exe, pwsh.exe, etc. // must reference a remote administrative C$ share | where ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\c$" // indication of a copy operation | where ProcessCommandLine has_any ("copy-item", "Copy-Item", " copy ", "copy ") // destination is some form of the local temporary directory | where ProcessCommandLine has_any ("%temp%", "\\temp\\", "\\Temp\\", "windows\\temp", "$env:TEMP", "$env:temp") // ———————————————————————————————————————— | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

// 1) restrict the hunt to Linux machines that sent telemetry in the selected time window let LinuxDevices = DeviceInfo | where OSPlatform has "Linux" | summarize by DeviceId; // 2) find python3 processes that look like a one-off HTTP server under /tmp listening on port 9090 DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (LinuxDevices) // make sure we are looking at python3 (name or command-line) | where FileName startswith "python3" or ProcessCommandLine has "python3" // invocation of the built-in web-server module (modern & legacy forms) | where ProcessCommandLine has "http.server" or ProcessCommandLine matches regex "(?i)SimpleHTTPServer" // command must mention the port number and the /tmp directory | where ProcessCommandLine has "9090" and ProcessCommandLine has "/tmp" // extract any 4- or 5-digit number surrounded by whitespace or punctuation, treat it as a candidate port | extend ExtractedPort = toint(extract(@"(?:\s|:)(\d{4,5})(?:\s|$)", 1, ProcessCommandLine)) | where ExtractedPort == 9090 // if the same process logged multiple creation events, keep the most recent | summarize arg_max(TimeGenerated, *) by DeviceId, ProcessId | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine

// "Who ran netstat to list current network connections?" DeviceProcessEvents | where ActionType == "ProcessCreated" // --- Identify the utility ---------------------------------------------------- | where FileName =~ "netstat.exe" or ProcessCommandLine has "netstat" // --- (Optional) keep only typical listing switches -------------------------- | where ProcessCommandLine has_any (" -a", " -an", " -ano", " -b", " -n", " -o") // --- Basic enrichment -------------------------------------------------------- | extend ParentProcess = tostring(InitiatingProcessFileName), ParentCmdLine = tostring(InitiatingProcessCommandLine), User = strcat(AccountDomain, "\\", AccountName) // --- Output ----------------------------------------------------------------- | project TimeGenerated, DeviceName, User, FileName, ProcessCommandLine, ParentProcess, ParentCmdLine, SHA256, InitiatingProcessSHA256, IsProcessElevated = iff(ProcessTokenElevation == "Elevated", true, false) | order by TimeGenerated desc

let cronPath = "/var/spool/cron/crontabs"; DeviceFileEvents // --- Only Linux endpoints (comment this block if not needed) ------------------- | extend DeviceIdTmp = DeviceId | join kind=inner ( DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, OSPlatform ) on DeviceId // ----------------------------------------------------------------------------- | where FolderPath startswith cronPath | where ActionType in ("FileCreated", "FileWritten", "FileModified", "FileCreate", "FileWrite") | project TimeGenerated, DeviceName, FilePath = strcat(FolderPath, "/", FileName), ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId | order by TimeGenerated desc

// Find PowerShell processes that enumerated network connections (e.g. active TCP) // Time range is controlled by the portal (TimeGenerated) let PowerShellHosts = dynamic(["powershell.exe","powershell_ise.exe","pwsh.exe","pwsh"]); let NetEnumerationCmdlets = dynamic(["Get-NetTCPConnection","Get-NetUDPEndpoint","Get-NetIPConnection","netstat"]); DeviceProcessEvents | where FileName in~ (PowerShellHosts) // limit to PowerShell hosts (case-insensitive) | where ProcessCommandLine has_any(NetEnumerationCmdlets) // command-line contains one of the enumeration cmdlets | extend CmdletExecuted = tostring(extract(@"(?i)(get-nettcpconnection|get-netudpendpoint|get-netipconnection|netstat)",0,ProcessCommandLine)) | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessId, CmdletExecuted, ProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessId | sort by TimeGenerated desc

// ----------------------------------------------------------------------------- // What executable did PowerShell use to transfer data to an FTP service? // ----------------------------------------------------------------------------- // Query logic // 1. Look for processes that were spawned by PowerShell and whose command line // shows typical FTP keywords ( ftp / ftps / tftp ). // 2. Look for network connections to an FTP service (TCP/21 or ftp:// URL) // where the *connecting* process – or its parent – is PowerShell. // 3. Union both evidence sets and summarise so we can clearly see which // executable(s) were leveraged for the exfiltration, on which host and // when it was first & last observed. // // NOTE – The time-picker in the hunting portal controls the global time range. // If you want a fixed window instead, uncomment the first two lines // and adjust the value in the *ago()* operator. // ----------------------------------------------------------------------------- // let TimeWindow = 7d; // <- uncomment / change if needed // | where TimeGenerated >= ago(TimeWindow) // --------------------------------------- // 1. Process-creation evidence // --------------------------------------- let procEvidence = DeviceProcessEvents // | where TimeGenerated >= ago(TimeWindow) // (handled by portal) | where ActionType == "ProcessCreated" | where InitiatingProcessFileName =~ "powershell.exe" | where FileName != "powershell.exe" // exclude the parent itself | where ProcessCommandLine has_any ("ftp ", "ftp://", "ftps://", "tftp ") | project DeviceId, DeviceName, TimeGenerated, ExfilExecutable = FileName, ExfilCommand = ProcessCommandLine; // --------------------------------------- // 2. Network evidence (FTP traffic) // --------------------------------------- let netEvidence = DeviceNetworkEvents // | where TimeGenerated >= ago(TimeWindow) | where RemotePort == 21 or RemoteUrl startswith "ftp://" or RemoteUrl startswith_cs "ftp." | where InitiatingProcessParentFileName =~ "powershell.exe" // PowerShell launched it or InitiatingProcessFileName =~ "powershell.exe" // or is PowerShell itself | project DeviceId, DeviceName, TimeGenerated, ExfilExecutable = InitiatingProcessFileName, ExfilCommand = InitiatingProcessCommandLine; // --------------------------------------- // 3. Merge & answer // --------------------------------------- procEvidence | union netEvidence | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExecCount = count() by DeviceName, ExfilExecutable, ExfilCommand | sort by ExecCount desc, FirstSeen asc | project Host = DeviceName, Executable = ExfilExecutable, ExampleCmdLine = ExfilCommand, Executions = ExecCount, FirstSeen, LastSeen

// ------------- PowerShell using WMI RegisterByXml (scheduled-task import) ------------- // Time range is controlled by the hunting UI – no explicit time filter is added here. DeviceProcessEvents // 1. Limit to the various PowerShell interpreters | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // 2. Command line must show the WMI method plus an XML reference | where ProcessCommandLine has "RegisterByXml" and ProcessCommandLine has ".xml" // 3. Try to extract the XML path // 3a. 1st attempt – a normal absolute path (e.g. C:\Temp\task.xml) | extend xmlPath = extract(@'([A-Za-z]:\\[^\s''"<>]+?\.xml)', 1, ProcessCommandLine) // 3b. Fallback – grab the first token that simply ends with .xml (covers relative paths, URLs, vars, etc.) | extend xmlPath = iff(isnull(xmlPath) or xmlPath == "", extract(@'(\S+?\.xml)', 1, ProcessCommandLine), xmlPath) // 4. Pull out just the file name so we can answer the analyst’s question | extend xmlFile = tostring(split(xmlPath, "\\")[-1]) // 5. Return concise context around each occurrence | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExecCount = count() by DeviceName, AccountName, xmlFile, xmlPath, ProcessCommandLine | order by LastSeen desc

// Scheduled task creation or modification that runs at logon or start-up DeviceProcessEvents | where TimeGenerated >= ago(7d) // <-- time filter will be overridden by the function call | where FileName =~ "schtasks.exe" // Look for switches that indicate a new or modified task and that the schedule is logon/start-up | where ProcessCommandLine has_any ("/create", "/change") | where ProcessCommandLine contains "/sc" and ( ProcessCommandLine contains "onlogon" or ProcessCommandLine contains "onstart" or ProcessCommandLine contains "onstartup") | project TimeGenerated, DeviceName, Account = strcat(AccountDomain, "\\", AccountName), FileName, ProcessCommandLine, ParentProcess = InitiatingProcessFileName, ParentCmd = InitiatingProcessCommandLine, FolderPath, MD5, SHA256 | order by TimeGenerated desc

// 1) Define typical listing and string-filtering tools let listingTools = dynamic(["tasklist","tasklist.exe","netstat","netstat.exe","wmic","wmic.exe","dir","get-process","gps","ps"]); let stringFilters = dynamic(["findstr","find","select-string"]); DeviceProcessEvents // 2) Look for a pipe and the presence of both a listing tool and a string-filtering tool | where ProcessCommandLine contains "|" | where tolower(ProcessCommandLine) has_any(listingTools) and tolower(ProcessCommandLine) has_any(stringFilters) // 3) Normalise and prepare for parsing | extend CmdLower = tolower(ProcessCommandLine) | extend AfterPipe = trim(' ', tostring(split(CmdLower, '|')[1])) // 4) Extract the searched-for term depending on which filter command is used | extend SearchTerm = case( AfterPipe startswith "findstr", extract("findstr(?:\\s+/[^\\s]+)*\\s+\"?'?([^\\s\"']+)", 1, AfterPipe), AfterPipe startswith "find", extract("find(?:\\s+/[^\\s]+)*\\s+\"?'?([^\\s\"']+)", 1, AfterPipe), AfterPipe startswith "select-string", extract("select-string(?:\\s+[^\\s]+)*\\s+\"?'?([^\\s\"']+)", 1, AfterPipe), "") | where isnotempty(SearchTerm) // 5) Summarise and present the results | summarize Executions = count(), Devices = dcount(DeviceId), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SearchTerm | order by Executions desc

// PowerShell process enumeration detection – what exact cmdlet was used? DeviceProcessEvents // 1. Focus on PowerShell hosts | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // 2. Keep only invocations that attempt to list running processes | where ProcessCommandLine has_any ("Get-Process", // standard cmdlet "Get-CimInstance", "Get-WmiObject", "gwmi", // aliases for Get-WmiObject "gps", "ps") // aliases for Get-Process // 3. Extract the first matching process-listing cmdlet / alias | extend CmdletExecuted = tolower(extract(@"(?i)(get-process|get-ciminstance|get-wmiobject|gwmi|gps|ps)", 1, ProcessCommandLine)) // 4. Normalise common aliases to their canonical cmdlet names | extend CmdletExecuted = case(CmdletExecuted == "ps" or CmdletExecuted == "gps", "get-process", CmdletExecuted == "gwmi", "get-wmiobject", CmdletExecuted) // 5. Return context so the analyst can validate the finding | project TimeGenerated, DeviceName, AccountName, CmdletExecuted, ProcessCommandLine, FolderPath, ProcessId, InitiatingProcessCommandLine | order by TimeGenerated desc

// ------------- Hunt for the "Special APC" shell-code injector ----------------- let apc_keywords = dynamic(["special_apc","specialapc","special-apc","special","queueuserapc","queue_user_apc","apcinject","apc_inject","shellcode","inject"]); DeviceProcessEvents | where ActionType =~ "ProcessCreated" // keep only process-creation events | extend lFile = tolower(FileName), lCmd = tolower(ProcessCommandLine) // normalise for case-insensitive keyword search | where lFile has_any(apc_keywords) or lCmd has_any(apc_keywords) // Return the interesting details for investigation | project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc // --- If you only need the name of the executable that performed the Special APC injection, uncomment the next line --- // | distinct FileName

// Investigate instances where Task Manager (taskmgr.exe) was launched *from* a cmd.exe shell // and received at least one command-line argument (i.e. an “unusual” flag). // The query returns the full command that was executed together with basic context. // (Timerange is supplied when the function is invoked) DeviceProcessEvents | where FileName =~ "taskmgr.exe" // child process | where InitiatingProcessFileName =~ "cmd.exe" // launched from cmd.exe | where isnotempty(ProcessCommandLine) // we have a command line | where not(ProcessCommandLine matches regex @"(?i)^\s*taskmgr\.exe\s*$") // command line contains something more than just the executable name | extend UnusualFlag = trim("\"", tostring(extract(@"taskmgr\.exe\s+(.*)$",1,ProcessCommandLine))) | project TimeGenerated, DeviceName, DeviceId, Account = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName), TaskmgrCommand = ProcessCommandLine, ParentCmdLine = InitiatingProcessCommandLine, UnusualFlag | order by TimeGenerated desc

DeviceProcessEvents // Time range will be injected by the calling function | where ActionType == "ProcessCreated" // ---- Hunt for WMI-based process enumeration --------------------------------- | where ( // Native WMIC utility explicitly targeting processes (tolower(FileName) == "wmic.exe" and ProcessCommandLine has "process") // Generic command-lines that contain both "wmic" and "process" or (ProcessCommandLine has "wmic" and ProcessCommandLine has "process") // PowerShell WMI/CIM cmdlets interrogating Win32_Process or (tolower(FileName) in ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Get-CimInstance") and ProcessCommandLine has "Win32_Process") // Impacket / other WMIC wrappers or (tolower(FileName) == "wmiexec.exe") ) // ----------------------------------------------------------------------------- | extend Utility = tolower(FileName) | summarize Executions = count(), Devices = dcount(DeviceId), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleCmds = make_list(ProcessCommandLine, 5) by Utility | order by Executions desc

DeviceProcessEvents | where FileName has_any ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine has_any ('get-wmiobject', 'gwmi', 'get-ciminstance') // Extract the WMI class either passed via -Class or referenced directly (Win32_*/MSFT_*) | extend WmiClass = coalesce( extract('-class\\s+[\'\"]?([A-Za-z0-9_]+)', 1, tolower(ProcessCommandLine)), extract('(win32_[a-z0-9_]+|msft_[a-z0-9_]+)', 1, tolower(ProcessCommandLine)) ) | where isnotempty(WmiClass) | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExecCount = count() by WmiClass, DeviceName, AccountName | order by ExecCount desc, LastSeen desc

DeviceProcessEvents | where InitiatingProcessFileName =~ "cmd.exe" // launched from command prompt | where FileName in ("tasklist.exe", "wmic.exe") // known process-enumeration tools | where FileName == "tasklist.exe" // tasklist – always lists processes or (FileName == "wmic.exe" and // wmic – make sure it was used to list processes ProcessCommandLine has "process" and ProcessCommandLine has "list") | extend ToolExecuted = FileName | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), DevicesAffected = dcount(DeviceId) by ToolExecuted | order by LastSeen desc

// Detect shell processes on Linux that build script content inside an environment variable and // immediately pipe (|) that variable into another shell instance. // The query extracts and reports the environment-variable name that held the script text. // Time range is supplied automatically by the hunting query runner. let shell_regex = @"(?:^|\/)bash$|(?:^|\/)sh$|(?:^|\/)dash$|(?:^|\/)zsh$|(?:^|\/)ksh$"; // common shell executables DeviceProcessEvents // ---- Scope to Linux endpoints ---- | lookup kind=leftouter ( DeviceInfo | project DeviceId, OSPlatform ) on DeviceId | where OSPlatform =~ "Linux" // ---------------------------------- // Interested only in shell processes whose command line both // 1) defines an env-var ( VAR=... or export VAR=... ) AND // 2) pipes that variable into a *second* shell instance ( | bash , | sh , etc. ) | where FileName matches regex shell_regex | where ProcessCommandLine has "|" and ( ProcessCommandLine matches regex @"export\s+\w+\s*=.*\|.*(bash|sh|dash|zsh|ksh)" or ProcessCommandLine matches regex @"\b\w+\s*=.*\|.*(bash|sh|dash|zsh|ksh)" ) // Pull out the name of the environment variable that stored the script | extend EnvVar = coalesce( extract(@"export\s+(\w+)\s*=", 1, ProcessCommandLine), extract(@"\b(\w+)\s*=.*\|", 1, ProcessCommandLine) ) // Quick sanity filter – ignore very short names like "sh" | where isnotempty(EnvVar) and strlen(EnvVar) > 1 // Return the interesting details | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, EnvVar, InitiatingProcessCommandLine // Highlight which variable names are most frequently used | summarize Events = count() by EnvVar, DeviceName | order by Events desc, EnvVar

// Detect enumeration of interactive shells on Linux hosts let lookback = 7d; // will be overwritten by portal / function-caller let shell_viewers = dynamic(["cat","less","more","head","tail","awk","sed","grep","cut","strings"]); DeviceProcessEvents | where TimeGenerated >= ago(lookback) // ---- Step 1 : narrow down to commands that reference the shells file ---- | where ProcessCommandLine has "/etc/shells" or (FileName =~ "getent" and ProcessCommandLine has "shells") or (FileName in~ (shell_viewers) and ProcessCommandLine has "shells") // ---- Step 2 : Pick the interesting fields for triage ---- | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, FileName, ProcessCommandLine, ParentProcessName = InitiatingProcessFileName, ParentProcessCommandLine = InitiatingProcessCommandLine, ParentAccount = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName), RemoteSession = iff(IsInitiatingProcessRemoteSession, "Yes", "No"), ReportId // ---- Step 3 : Optional grouping to reduce noise ---- | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), EventCount=count() by DeviceId, DeviceName, AccountName, FileName, ProcessCommandLine, ParentProcessName, ParentProcessCommandLine, ParentAccount, RemoteSession, ReportId | order by LastSeen desc

// --- Linux login-shell change detection ----------------------------------- // Time filter is injected automatically by the hunting portal // but can be added manually if needed, e.g. | where TimeGenerated between (datetime(2023-09-14) .. datetime(2023-09-21)) // 1. Track any edit to /etc/passwd (the file that stores the user shell) let PasswdEdits = DeviceFileEvents | where ActionType in ("FileModified","FileCreated","FileWritten","FileDeleted","Modified") | where FolderPath == "/etc" and FileName == "passwd" | project DeviceId, ReportId, PasswdEditTime = TimeGenerated; // 2. Find processes that are normally used to change a login shell let ShellChangers = DeviceProcessEvents | where ActionType == "ProcessCreated" // Defender for Endpoint marks Linux paths with a leading '/'; good enough indication of OS | where FolderPath startswith "/" // keep only Linux processes | where FileName in ("chsh","usermod") | where ProcessCommandLine has_any (" -s ", " --shell") // command must include the shell parameter | extend PotentialShellChange = 1; // 3. Merge both data-sets to obtain a consolidated view ShellChangers | join kind=leftouter PasswdEdits on DeviceId, ReportId | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, HasEditedPasswd = iff(isnotempty(PasswdEditTime), true, false) | order by TimeGenerated desc

// ------------------------------------------------------------------------------------------------ // Detect scripts fetched from GitHub raw via curl / wget and immediately executed through a pipe // (e.g. curl https://raw.githubusercontent.com/user/repo/script.sh | bash ) // ------------------------------------------------------------------------------------------------ // Time range will be added automatically by the hunting portal, so no explicit where TimeGenerated // clause is required here. let pipeIndicators = dynamic(["|bash","| bash","|sh","| sh","bash -","sh -"]); DeviceProcessEvents // 1. Focus on the typical downloader utilities and the shell that is used to execute the script | where FileName in~ ("bash","sh","curl","wget") // 2. Command-line must reference GitHub raw content and contain a pipe that forwards the content to a shell | where ProcessCommandLine has "raw.githubusercontent.com" and ProcessCommandLine has_any(pipeIndicators) // 3. Pull the full raw URL out of the command line (greedy until we hit whitespace or the pipe symbol) | extend RawUrl = extract(@"((?:http|https)://[^\s'""|<>]+)", 1, ProcessCommandLine) | where isnotempty(RawUrl) // 4. Derive just the script name (the last element after the final '/') | extend ScriptName = extract(@"([^/]+)$", 1, RawUrl) // 5. Return the interesting columns; hunting portal will add the time filter | project TimeGenerated, DeviceName, AccountName, Executable = FileName, ProcessCommandLine, RawUrl, ScriptName | order by TimeGenerated desc