Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "apple" or ProcessCommandLine contains "berry" or ProcessCommandLine contains "grape" or ProcessCommandLine contains "melon" or ProcessCommandLine contains "lemon" or ProcessCommandLine contains "orange" or ProcessCommandLine contains "pear" or ProcessCommandLine contains "plum" or ProcessCommandLine contains "bean" or ProcessCommandLine contains "corn" or ProcessCommandLine contains "rice" or ProcessCommandLine contains "fish" or ProcessCommandLine contains "meat" or ProcessCommandLine contains "egg" or ProcessCommandLine contains "milk" or ProcessCommandLine contains "honey" or ProcessCommandLine contains "sugar" or ProcessCommandLine contains "salt" or ProcessCommandLine contains "pie" or ProcessCommandLine contains "donut" or ProcessCommandLine contains "candy" or FileName contains "apple" or FileName contains "berry" or FileName contains "grape" or FileName contains "melon" or FileName contains "lemon" or FileName contains "orange" or FileName contains "pear" or FileName contains "plum" or FileName contains "bean" or FileName contains "corn" or FileName contains "rice" or FileName contains "fish" or FileName contains "meat" or FileName contains "egg" or FileName contains "milk" or FileName contains "honey" or FileName contains "sugar" or FileName contains "salt" or FileName contains "pie" or FileName contains "donut" or FileName contains "candy" or InitiatingProcessCommandLine contains "apple" or InitiatingProcessCommandLine contains "berry" or InitiatingProcessCommandLine contains "grape" or InitiatingProcessCommandLine contains "melon" or InitiatingProcessCommandLine contains "lemon" or InitiatingProcessCommandLine contains "orange" or InitiatingProcessCommandLine contains "pear" or InitiatingProcessCommandLine contains "plum" or InitiatingProcessCommandLine contains "bean" or InitiatingProcessCommandLine contains "corn" or InitiatingProcessCommandLine contains "rice" or InitiatingProcessCommandLine contains "fish" or InitiatingProcessCommandLine contains "meat" or InitiatingProcessCommandLine contains "egg" or InitiatingProcessCommandLine contains "milk" or InitiatingProcessCommandLine contains "honey" or InitiatingProcessCommandLine contains "sugar" or InitiatingProcessCommandLine contains "salt" or InitiatingProcessCommandLine contains "pie" or InitiatingProcessCommandLine contains "donut" or InitiatingProcessCommandLine contains "candy" or InitiatingProcessFileName contains "apple" or InitiatingProcessFileName contains "berry" or InitiatingProcessFileName contains "grape" or InitiatingProcessFileName contains "melon" or InitiatingProcessFileName contains "lemon" or InitiatingProcessFileName contains "orange" or InitiatingProcessFileName contains "pear" or InitiatingProcessFileName contains "plum" or InitiatingProcessFileName contains "bean" or InitiatingProcessFileName contains "corn" or InitiatingProcessFileName contains "rice" or InitiatingProcessFileName contains "fish" or InitiatingProcessFileName contains "meat" or InitiatingProcessFileName contains "egg" or InitiatingProcessFileName contains "milk" or InitiatingProcessFileName contains "honey" or InitiatingProcessFileName contains "sugar" or InitiatingProcessFileName contains "salt" or InitiatingProcessFileName contains "pie" or InitiatingProcessFileName contains "donut" or InitiatingProcessFileName contains "candy" | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has_any ("cookie", "egg", "cheese", "bacon", "peach", "apple", "onion") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath

let food_regex = @"(?i)\b(cookie|cookies|cake|honey|donut|donuts|doughnut|biscuit|biscuits|apple|pear|cheese|bacon|burger|sandwich|salad|soup|banana|orange|grape|cherry|muffin)\b"; let recon_keywords = dynamic(["sharphound","bloodhound","invoke-sharphound","invoke-bloodhound","adfind","nbtscan","nmap","masscan","recon-ng","ldapsearch","get-domain","get-ad","get-net","get-aduser","get-adcomputer","find-ad","invoke-aclscanner","invoke-sharefinder","get-localuser","get-localgroup","net user","net group"]); // Combine relevant sources into a common shape ( DeviceProcessEvents | project TimeGenerated, Source = "DeviceProcessEvents", DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId, ReportId ) | union ( DeviceEvents | project TimeGenerated, Source = "DeviceEvents", DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId = InitiatingProcessId, ReportId ) | union ( DeviceFileEvents | project TimeGenerated, Source = "DeviceFileEvents", DeviceName, Account = InitiatingProcessAccountName, FileName, ProcessCommandLine = InitiatingProcessCommandLine, ProcessId = InitiatingProcessId, ReportId ) | extend lcCmd = tolower(tostring(ProcessCommandLine)), lcFile = tolower(tostring(FileName)) // Filter to likely reconnaissance activity or food-named functions | where (isnotempty(lcCmd) and lcCmd has_any (recon_keywords)) or (isnotempty(lcFile) and lcFile has_any (recon_keywords)) or (isnotempty(lcCmd) and lcCmd matches regex food_regex) // Extract possible function/collector names and any food word | extend FoodMatch = extract(food_regex, 1, lcCmd) | extend InvokedFunction = extract(@"(?i)\b(invoke-[\w-]+)", 1, lcCmd) | extend CollectionMethods = extract(@"(?i)(?:-c\s+|--collectionmethod(?:=|\s+)?|-collectionmethod\s+|--collectors(?:=|\s+)?|-collectors\s+)\s*([a-z0-9,]+)", 1, lcCmd) | extend OtherCollectorFlags = extract(@"(?i)(?:--?collector[s]?\s*=?\s*)([a-z0-9,]+)", 1, lcCmd) // Choose the most relevant function name (food word preferred) | extend DeducedFunction = case( isempty(FoodMatch) == false, FoodMatch, isempty(CollectionMethods) == false, CollectionMethods, isempty(OtherCollectorFlags) == false, OtherCollectorFlags, isempty(InvokedFunction) == false, InvokedFunction, "" ) | project TimeGenerated, Source, DeviceName, Account, FileName, ProcessId, ProcessCommandLine, DeducedFunction, FoodMatch, InvokedFunction, CollectionMethods, OtherCollectorFlags, ReportId | order by TimeGenerated desc | take 200

let foodRegex = @"(?i)\b(cheese|ham|bacon|cookie|apple|pear|peach|grape|berry|muffin|bread|toast|steak|beef|chicken|egg|milk|donut|sugar)\b"; let proc = DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) or isnotempty(ProcessVersionInfoFileDescription) or isnotempty(ProcessVersionInfoProductName) | where ProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or ProcessVersionInfoFileDescription matches regex foodRegex or ProcessVersionInfoProductName matches regex foodRegex | project TimeGenerated, Table = "DeviceProcessEvents", DeviceName, AccountName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessVersionInfoProductName, ProcessVersionInfoFileDescription; let dev = DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) or isnotempty(AdditionalFields) | where ProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or tostring(AdditionalFields) matches regex foodRegex | project TimeGenerated, Table = "DeviceEvents", DeviceName, AccountName, ProcessId = InitiatingProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, Extra = tostring(AdditionalFields); let df = DeviceFileEvents | where isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName) or isnotempty(PreviousFileName) or isnotempty(InitiatingProcessFileName) | where InitiatingProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or PreviousFileName matches regex foodRegex or InitiatingProcessFileName matches regex foodRegex | project TimeGenerated, Table = "DeviceFileEvents", DeviceName, AccountName = InitiatingProcessAccountName, ProcessId = InitiatingProcessId, FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine; let img = DeviceImageLoadEvents | where isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName) or isnotempty(InitiatingProcessFileName) | where InitiatingProcessCommandLine matches regex foodRegex or FileName matches regex foodRegex or InitiatingProcessFileName matches regex foodRegex | project TimeGenerated, Table = "DeviceImageLoadEvents", DeviceName, AccountName = InitiatingProcessAccountName, ProcessId = InitiatingProcessId, FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine; union proc, dev, df, img | sort by TimeGenerated desc | distinct TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, Table | take 200

let foodWords = dynamic(["cheese","cookie","biscuit","pepper","banana","orange","tomato","lettuce","pickle","donut","bagel","salami","cracker","jalapeno","cookie","apple","pear","grape","mango","melon","ham","bacon","sausage","olive","pepperoni","cinnamon","sugar","honey","nut","almond","peanut","walnut","chocolate"]); // Union the relevant tables and project common fields union isfuzzy=true (DeviceProcessEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceProcessEvents", FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)), (DeviceEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceEvents", FileName, ProcessCommandLine = ProcessCommandLine, InitiatingProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)), (DeviceFileEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceFileEvents", FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)), (DeviceImageLoadEvents | project TimeGenerated, DeviceName, SourceTable = "DeviceImageLoadEvents", FileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields = tostring(AdditionalFields)) | extend combined = strcat(tolower(coalesce(ProcessCommandLine, "")), " ", tolower(coalesce(InitiatingProcessCommandLine, "")), " ", tolower(coalesce(FileName, "")), " ", tolower(coalesce(AdditionalFields, ""))) // Expand candidate words and filter to matches | mv-expand word = foodWords | where combined contains tolower(tostring(word)) | extend matchedFunction = tostring(word) // Summarize and cast matchedFunction to string to avoid dynamic grouping issues | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, matchedFunction = tostring(matchedFunction), SourceTable, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Count desc, FirstSeen asc | project DeviceName, matchedFunction, Count, FirstSeen, LastSeen, SourceTable, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountName | take 100

let startTime = ago(1d); let endTime = now(); DeviceProcessEvents | where TimeGenerated between (startTime .. endTime) | where InitiatingProcessFileName endswith ".exe" | where InitiatingProcessCommandLine has_any ("nmap","masscan","nikto","sqlmap","hydra","dnsrecon","theharvester","whois","curl","wget","nc","netcat","powershell","wmic","certutil") | extend CmdLine = tostring(InitiatingProcessCommandLine) | extend FunctionName = case( CmdLine contains "-O", "apple", CmdLine contains "-sS", "banana", CmdLine contains "-sV", "cookie", CmdLine contains "-sU", "donut", CmdLine contains "-A", "orange", CmdLine contains "-sC", "peach", "Unknown") | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, CmdLine, FunctionName | summarize arg_max(TimeGenerated, *) by DeviceId | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where ProcessCommandLine matches regex @'\b(cookie|bread|cake|pie|fruit|apple|banana|cherry|grape|berry|meat|fish|rice|noodle|pasta|soup|salad|cheese|milk|egg)\b' or InitiatingProcessCommandLine matches regex @'\b(cookie|bread|cake|pie|fruit|apple|banana|cherry|grape|berry|meat|fish|rice|noodle|pasta|soup|salad|cheese|milk|egg)\b' | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, ActionType | order by Timestamp desc | limit 100

DeviceProcessEvents | where ProcessCommandLine has 'nmap' or ProcessCommandLine has 'finger' | project TimeGenerated, DeviceName, ProcessCommandLine, FileName | order by TimeGenerated desc

union DeviceProcessEvents, DeviceFileEvents, DeviceImageLoadEvents | where TimeGenerated >= ago(7d) | where isnotempty(FileName) or isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | where FileName has_any ("cookie", "potato", "apple", "banana", "cake", "milk", "taco") or ProcessCommandLine has_any ("cookie", "potato", "apple", "banana", "cake", "milk", "taco") or InitiatingProcessCommandLine has_any ("cookie", "potato", "apple", "banana", "cake", "milk", "taco") | project TimeGenerated, Type, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc