Question Analysis

DeviceProcessEvents | where ProcessCommandLine has "chmod" // Match symbolic: must include both g+s and g+x (in any order), possibly together as g+xs/g+sx, or octal setgid (2xxx) and ( (ProcessCommandLine has "g+s" and ProcessCommandLine has "g+x") or ProcessCommandLine matches regex @"g\+([xs]{2,})" or ProcessCommandLine matches regex @"chmod\s+2[0-7]{2,3}\s" ) | extend parted = split(ProcessCommandLine, " ") | extend FileTarget = parted[-1] | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FileTarget | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "chmod" | where ProcessCommandLine matches regex @"g\+x" or ProcessCommandLine contains "s" or ProcessCommandLine matches regex @"[0-7]*2[0-7]*" | where isnotempty(FileName) | distinct FileName

let SyslogMatches = ( DeviceEvents | extend Syslog = tostring(coalesce(AdditionalFields.Message, AdditionalFields.SyslogMessage, AdditionalFields.LogText, AdditionalFields.RawEvent, AdditionalFields.raw_message, AdditionalFields.raw, AdditionalFields.EventMessage, AdditionalFields.message, AdditionalFields.msg, AdditionalFields.MESSAGE)) | where isnotempty(Syslog) // Must be chmod and either symbolic (g+x & g+s) or numeric with setgid + group execute | where Syslog matches regex @"(?i)\bchmod\b" and ( Syslog matches regex @"(?i)\bchmod\b[^\n;]*\b(g\+x[^\n;]*g\+s|g\+s[^\n;]*g\+x|g\+xs|g\+sx)\b" or Syslog matches regex @"(?i)\bchmod\b[^\n;]*\b0?[2367][0-7][1357][0-7]\b" ) // Extract everything after the mode (symbolic or numeric) | extend TargetsSym = extract(@"(?i)\bchmod\s+(?:--?[^\s]+\s+)*(?:[-+=,ugoXstwrx]+)\s+(.+)", 1, Syslog), TargetsNum = extract(@"(?i)\bchmod\s+(?:--?[^\s]+\s+)*0?[0-7]{3,4}\s+(.+)", 1, Syslog) | extend TargetsStr = coalesce(TargetsSym, TargetsNum) | where isnotempty(TargetsStr) // Split potential multiple targets and clean tokens | extend Tokens = split(trim(' ', TargetsStr), ' ') | mv-expand Token = Tokens | extend Token = trim(" '"";,)&(|", tostring(Token)) | where isnotempty(Token) // Drop options, pure modes, and key=value artifacts | where not(Token matches regex @"^--?.+") and not(Token matches regex @"^(0?[0-7]{3,4}|[-+=,ugoXstwrx]+)$") and Token !contains "=" | extend TargetPath = Token, ModifiedFileName = tostring(split(Token, "/")[-1]) | where isnotempty(ModifiedFileName) | project TimeGenerated, DeviceId, DeviceName, TargetPath, ModifiedFileName, Source = "Syslog" ); let ProcMatches = ( DeviceProcessEvents | where FileName =~ "chmod" or ProcessCommandLine has "chmod " | where ProcessCommandLine matches regex @"(?i)\bchmod\b" and ( ProcessCommandLine matches regex @"(?i)\bchmod\b[^\n;]*\b(g\+x[^\n;]*g\+s|g\+s[^\n;]*g\+x|g\+xs|g\+sx)\b" or ProcessCommandLine matches regex @"(?i)\bchmod\b[^\n;]*\b0?[2367][0-7][1357][0-7]\b" ) | extend TargetsSym = extract(@"(?i)\bchmod\s+(?:--?[^\s]+\s+)*(?:[-+=,ugoXstwrx]+)\s+(.+)", 1, ProcessCommandLine), TargetsNum = extract(@"(?i)\bchmod\s+(?:--?[^\s]+\s+)*0?[0-7]{3,4}\s+(.+)", 1, ProcessCommandLine) | extend TargetsStr = coalesce(TargetsSym, TargetsNum) | where isnotempty(TargetsStr) | extend Tokens = split(trim(' ', TargetsStr), ' ') | mv-expand Token = Tokens | extend Token = trim(" '"";,)&(|", tostring(Token)) | where isnotempty(Token) | where not(Token matches regex @"^--?.+") and not(Token matches regex @"^(0?[0-7]{3,4}|[-+=,ugoXstwrx]+)$") and Token !contains "=" | extend TargetPath = Token, ModifiedFileName = tostring(split(Token, "/")[-1]) | where isnotempty(ModifiedFileName) | project TimeGenerated, DeviceId, DeviceName, TargetPath, ModifiedFileName, Source = "Process" ); union SyslogMatches, ProcMatches | summarize arg_max(TimeGenerated, *) by DeviceId, ModifiedFileName | project TimeGenerated, DeviceName, ModifiedFileName, TargetPath, Source | order by TimeGenerated desc

// Find files where a chmod changed group exec and setgid bits on Linux via syslog entries // Search DeviceEvents and DeviceProcessEvents where command contains chmod or uses numeric mode with leading 2 (setgid) let keywords = dynamic(["chmod","g+s","g+x","2755","2750","2757","2775","2777","2751","2752","2770","2754","2756","2620","2600","2700","275" ]); let ev = ( DeviceEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where SourceSystem == "Linux" or DeviceName contains_cs("linux") or ActionType contains_cs("Syslog") or AdditionalFields has "syslog" | where (ProcessCommandLine has_any (keywords) or tostring(AdditionalFields) has_any (keywords) or FileName has_any (keywords)) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FileName, FolderPath, ActionType, AdditionalFields, _raw = tostring(AdditionalFields) ); let proc = ( DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where ProcessCommandLine has_any (keywords) or InitiatingProcessFileName has_any (keywords) or tostring(AdditionalFields) has_any (keywords) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessFileName, FileName, FolderPath, ActionType, AdditionalFields, _raw = tostring(AdditionalFields) ); union ev, proc | extend Command = coalesce(ProcessCommandLine, _raw) | extend TargetFile = // attempt to extract file path from command using regex for chmod and chgrp extract(@"(?:chmod|chgrp)\s+[0-7]{3,4}\s+([^\s]+)|(?:chmod|chgrp)\s+[^\s]+\s+([^\s]+)|\b([^\s]+/[^\s]+)\b", 1, Command) | extend TargetFile = iff(isempty(TargetFile), extract(@"(?:chmod|chgrp)\s+[0-7]{3,4}\s+([^\s]+)|(?:chmod|chgrp)\s+[^\s]+\s+([^\s]+)|\b([^\s]+/[^\s]+)\b", 2, Command), TargetFile) | extend TargetFile = iff(isempty(TargetFile), extract(@"(?:chmod|chgrp)\s+[0-7]{3,4}\s+([^\s]+)|(?:chmod|chgrp)\s+[^\s]+\s+([^\s]+)|\b([^\s]+/[^\s]+)\b", 3, Command), TargetFile) | where Command has_any ("chmod","g+s","g+x") or Command matches regex @"\b[2-7][0-7]{2}\b" | where isnotempty(TargetFile) or isnotempty(FileName) or isnotempty(FolderPath) | extend ObservedFile = coalesce(TargetFile, FileName, FolderPath) | summarize count() , any(InitiatingProcessAccountName), any(Command), make_set(AdditionalFields) by ObservedFile, DeviceName | where ObservedFile != "" | project DeviceName, ObservedFile, Count = count_, Account = any_InitiatingProcessAccountName, ExampleCommand = any_Command | order by Count desc // Note: adjust time range in function call. This query attempts to extract path from syslog/process command lines containing chmod/chgrp or numeric modes that set setgid (leading 2xxx).