Question Analysis

let linuxDevices = DeviceInfo | where tostring(OSPlatform) != '' and (tolower(tostring(OSPlatform)) contains "linux" or tolower(tostring(OSDistribution)) contains "linux") | distinct DeviceId; union ( DeviceEvents | project TimeGenerated, DeviceId, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountDomain, InitiatingProcessAccountName, Command = tostring(InitiatingProcessCommandLine), InitiatingProcessFileName, Additional = tostring(AdditionalFields) ), ( DeviceFileEvents | project TimeGenerated, DeviceId, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountDomain, InitiatingProcessAccountName, Command = tostring(InitiatingProcessCommandLine), InitiatingProcessFileName, Additional = tostring(AdditionalFields) ), ( DeviceProcessEvents | project TimeGenerated, DeviceId, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountDomain, InitiatingProcessAccountName, Command = tostring(coalesce(InitiatingProcessCommandLine, ProcessCommandLine)), InitiatingProcessFileName, Additional = tostring(AdditionalFields) ) | where DeviceId in (linuxDevices) // Look for known indicators of SetUID being set | where Command has_any ("chmod","+s","u+s","475","setuid","suid","setfacl","setfattr","chown") or Additional has_any ("suid","+s","u+s","475","chmod","setuid") | extend ExactCommand = extract(@"(?i)(chmod\s+[^;|&]*)", 1, Command) | extend ExactCommand = iff(isnotempty(ExactCommand), ExactCommand, extract(@"(?i)(setfacl\s+[^;|&]*)", 1, Command)) | extend ExactCommand = iff(isnotempty(ExactCommand), ExactCommand, extract(@"(?i)(setfattr\s+[^;|&]*)", 1, Command)) | extend ExactCommand = iff(isnotempty(ExactCommand), ExactCommand, extract(@"(?i)(chown\s+[^;|&]*)", 1, Command)) | extend FullPath = strcat(tostring(FolderPath), "/", tostring(FileName)) | project TimeGenerated, DeviceName, DeviceId, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, FullPath, ExactCommand, Command, ActionType, Additional | where isnotempty(ExactCommand) or Additional has_any ("suid","+s","u+s","475") | summarize LatestTime = max(TimeGenerated), DeviceName = any(DeviceName), AccountDomain = any(AccountDomain), AccountName = any(AccountName), InitiatingProcessFileName = any(InitiatingProcessFileName), Command = any(Command), ExactCommand = any(ExactCommand), ActionType = any(ActionType), Additional = any(Additional) by DeviceId, FullPath | order by LatestTime desc | project LatestTime, DeviceName, FullPath, ExactCommand, Command, AccountDomain, AccountName, InitiatingProcessFileName, ActionType, Additional | take 100

DeviceProcessEvents | where isnotempty(InitiatingProcessCommandLine) | where InitiatingProcessCommandLine contains "chmod" | where InitiatingProcessCommandLine contains "4" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, FolderPath, FileName | order by TimeGenerated desc