Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains "python3" and ProcessCommandLine contains "/tmp" and ProcessCommandLine contains "9090" | project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "python3" | where ProcessCommandLine contains "9090" | project ProcessCommandLine, InitiatingProcessCreationTime, DeviceName, ProcessId

DeviceProcessEvents | where InitiatingProcessCommandLine has "python3" and InitiatingProcessCommandLine has "-m http.server" and InitiatingProcessCommandLine has "9090" and InitiatingProcessCommandLine has "/tmp" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine

let targetPort = 9090; let portRegex = strcat(@"(^|[^\d])", tostring(targetPort), @"([^\d]|$)"); DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=innerunique ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName ) on DeviceId | extend cmdl = tostring(ProcessCommandLine) | where isnotempty(cmdl) // python3 starting http.server on the target port | where tolower(cmdl) has "http.server" and cmdl matches regex portRegex | where tolower(FileName) matches regex @"^python3(\.\d+)?$" or tolower(cmdl) has "python3" // get working directory from various possible keys in AdditionalFields | extend WorkingDirectory = coalesce( tostring(AdditionalFields["cwd"]), tostring(AdditionalFields["Cwd"]), tostring(AdditionalFields["WorkingDirectory"]), tostring(AdditionalFields["workdir"]), tostring(AdditionalFields["CurrentDirectory"])) // hosted under /tmp: either CWD is /tmp or command references /tmp (e.g., --directory /tmp) | where tolower(cmdl) has "/tmp" or (isnotempty(WorkingDirectory) and tolower(WorkingDirectory) has "/tmp") | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessId, ProcessCommandLine=cmdl, WorkingDirectory | order by TimeGenerated asc

// Search DeviceProcessEvents and DeviceEvents for python3 starting an http server on port 9090 under /tmp let lookback = 30d; let pythonPatterns = dynamic(["python3","python","/usr/bin/python3","/usr/bin/python"]); let httpModuleRegex = @"(?i)\b-m\s+http\.server\b|\bSimpleHTTPServer\b|\bhttp\.server\b|python\s+-m\s+http"; // Helper to normalize fields from both tables let procs = ( DeviceProcessEvents | where TimeGenerated >= ago(lookback) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend Cmd = coalesce(ProcessCommandLine, strcat(FileName, " ", tostring(ProcessId))) | extend SourceTable = "DeviceProcessEvents", ProcTime = ProcessCreationTime | project TimeGenerated, ProcTime, DeviceName, DeviceId, ProcessId, FileName, Cmd, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, SourceTable ); let events = ( DeviceEvents | where TimeGenerated >= ago(lookback) | where ActionType == "ProcessCreated" or ActionType == "CreateProcess" | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend Cmd = coalesce(ProcessCommandLine, strcat(FileName, " ", tostring(ProcessId))) | extend SourceTable = "DeviceEvents", ProcTime = ProcessCreationTime | project TimeGenerated, ProcTime, DeviceName, DeviceId, ProcessId, FileName, Cmd, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, SourceTable ); procs | union events | where tolower(Cmd) contains "python" // ensure python invocations | where (Cmd matches regex httpModuleRegex) or Cmd contains "9090" or Cmd contains ":9090" or Cmd contains "port 9090" or Cmd contains "--bind" and Cmd contains "9090" | where Cmd contains "/tmp" or Cmd contains "tmp/" or InitiatingProcessCommandLine contains "/tmp" or InitiatingProcessCommandLine contains "tmp/" | extend MatchedHttp = extract(@"(-m\s+http\.server\b.*?|http\.server.*?|SimpleHTTPServer.*?|\b\d{2,5}\b)", 1, Cmd) | extend FullCommand = trim('"', Cmd) | project ProcTime = coalesce(ProcTime, TimeGenerated), TimeGenerated, DeviceName, DeviceId, ProcessId, FileName, FullCommand, MatchedHttp, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, SourceTable | order by ProcTime desc | take 50

DeviceProcessEvents | where ProcessCommandLine contains "python3" and ProcessCommandLine contains "9090" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc | take 10

DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId | join kind=inner ( DeviceProcessEvents | where ProcessCommandLine has "python3" | where ProcessCommandLine has "9090" | where ProcessCommandLine has "/tmp" ) on DeviceId | project TimeGenerated, DeviceName, FolderPath, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform contains "Linux" ) on DeviceId | where (FileName in~ ("python", "python3") or ProcessCommandLine contains "python") | where ProcessCommandLine contains "9090" | where ProcessCommandLine contains "/tmp" or FolderPath has "/tmp" or InitiatingProcessFolderPath has "/tmp" | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, ProcessCreationTime | order by TimeGenerated desc

// 1) restrict the hunt to Linux machines that sent telemetry in the selected time window let LinuxDevices = DeviceInfo | where OSPlatform has "Linux" | summarize by DeviceId; // 2) find python3 processes that look like a one-off HTTP server under /tmp listening on port 9090 DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (LinuxDevices) // make sure we are looking at python3 (name or command-line) | where FileName startswith "python3" or ProcessCommandLine has "python3" // invocation of the built-in web-server module (modern & legacy forms) | where ProcessCommandLine has "http.server" or ProcessCommandLine matches regex "(?i)SimpleHTTPServer" // command must mention the port number and the /tmp directory | where ProcessCommandLine has "9090" and ProcessCommandLine has "/tmp" // extract any 4- or 5-digit number surrounded by whitespace or punctuation, treat it as a candidate port | extend ExtractedPort = toint(extract(@"(?:\s|:)(\d{4,5})(?:\s|$)", 1, ProcessCommandLine)) | where ExtractedPort == 9090 // if the same process logged multiple creation events, keep the most recent | summarize arg_max(TimeGenerated, *) by DeviceId, ProcessId | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine

DeviceProcessEvents | extend CMD = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where CMD contains "python3" and CMD contains "/tmp" and CMD contains "9090" | project TimeGenerated, DeviceName, FileName, CMD | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "python3" | where ProcessCommandLine contains "/tmp" | where ProcessCommandLine contains "9090" | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated asc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "python3" and ProcessCommandLine has "9090" and ProcessCommandLine has "/tmp" | project ProcessCreationTime, DeviceName, ProcessId, ProcessCommandLine | order by ProcessCreationTime desc

DeviceProcessEvents | where FileName == "python3" or ProcessCommandLine has "python3" | where ProcessCommandLine has "/tmp" and (ProcessCommandLine has "http.server" or ProcessCommandLine has "SimpleHTTPServer" or ProcessCommandLine has "-m http.server") | where ProcessCommandLine has "9090" | project ProcessCreationTime, DeviceName, ProcessId, ProcessCommandLine | sort by ProcessCreationTime asc