Question Analysis

DeviceProcessEvents | where tolower(FolderPath) contains "perl" | where FileName in~ ("cpanm","perlbrew","perl-build","carton","cpan","plenv","ack","perl") | project ProcessId, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where (InitiatingProcessFileName has_any ('cpan','cpanm') or InitiatingProcessCommandLine contains 'cpan' or InitiatingProcessCommandLine contains 'cpanm') | where ProcessCommandLine has_any ('sh', 'bash', 'zsh') | project DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated

DeviceProcessEvents | where InitiatingProcessFileName has_any ('cpan', 'cpanm', 'cpanp') or InitiatingProcessCommandLine has_any ('cpan', 'cpanm', 'cpanp') | where FileName has_any ('sh', 'bash', 'dash', 'zsh', 'ksh') | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName, FolderPath, InitiatingProcessFolderPath

DeviceProcessEvents | where InitiatingProcessCommandLine contains ".sh" | summarize processCommandLineCount=count() by InitiatingProcessCommandLine, DeviceName, AccountName | extend timestamp = now() | sort by processCommandLineCount desc | extend AccountName = tostring(split(AccountName, "@")[0]), DnsDomain = tostring(split(AccountName, "@")[1]) | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, ".")) | extend DNSDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) // Please uncomment below to filter the results based on a specific domain/hostname // | where DNSDomain in ("<your domain/host to be filtered>") or HostName in ("<your domain/host to be filtered>") // Please uncomment below to filter the results based on a specific account name // | where AccountName in ("<your account to be filtered>")

DeviceProcessEvents | where FileName in ("cpan", "cpanm") or ProcessCommandLine has_any ("cpan", "cpanm") | where InitiatingProcessFileName in ("sh", "bash", "/bin/sh", "/bin/bash") or InitiatingProcessCommandLine has_any ("sh", "bash", "/bin/sh", "/bin/bash") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains 'perl' or ProcessCommandLine contains '/bin/sh' or ProcessCommandLine contains 'bash' | where ProcessCommandLine matches regex '(?i)escape|restricted|shell|perl' | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessId, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessParentCreationTime | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessFileName =~ "perl" or InitiatingProcessFileName =~ "cpan" | where FileName has_any ("bash", "sh", "shell") or ProcessCommandLine has_any ("bash", "sh", "shell") | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

// Shell escape via Perl package manager (cpan/cpanm / perl -MCPAN) let shell_names = dynamic(["sh","bash","dash","zsh","ksh","ash","busybox","fish"]); let cpan_regex = @"(?i)\bcpanm?\b|(-MCPAN|CPAN::)"; let Proc = DeviceProcessEvents | where ActionType == "ProcessCreated" | project DeviceId, DeviceName, TimeGenerated, AccountName, AccountDomain, FileName, FolderPath, ProcessCommandLine, ProcessId, ProcessCreationTime, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessParentId, InitiatingProcessParentCreationTime, InitiatingProcessParentFileName; // Shell processes on Linux let Shells = Proc | where FileName in (shell_names) | where FolderPath startswith "/"; // Parent (the tool that spawned the shell) let ShellsWithParent = Shells | join kind=inner ( Proc | project DeviceId, ParentProcessId = ProcessId, ParentProcessCreationTime = ProcessCreationTime, ToolFileName = FileName, ToolFolderPath = FolderPath, ToolCommandLine = ProcessCommandLine, ToolProcessId = ProcessId, ToolProcessCreationTime = ProcessCreationTime, ToolInitiatingProcessId = InitiatingProcessId, ToolInitiatingProcessCreationTime = InitiatingProcessCreationTime, ToolInitiatingProcessFileName = InitiatingProcessFileName, ToolInitiatingProcessCommandLine = InitiatingProcessCommandLine ) on $left.DeviceId == $right.DeviceId and $left.InitiatingProcessId == $right.ParentProcessId and $left.InitiatingProcessCreationTime == $right.ParentProcessCreationTime; // Grandparent (often cpan/cpanm or perl running CPAN) let ShellsWithAncestors = ShellsWithParent | join kind=leftouter ( Proc | project DeviceId, GPProcessId = ProcessId, GPProcessCreationTime = ProcessCreationTime, GPFileName = FileName, GPFolderPath = FolderPath, GPCommandLine = ProcessCommandLine ) on $left.DeviceId == $right.DeviceId and $left.ToolInitiatingProcessId == $right.GPProcessId and $left.ToolInitiatingProcessCreationTime == $right.GPProcessCreationTime // Keep cases indicating CPAN involvement | where ToolFileName in ("cpan","cpanm") or ToolCommandLine matches regex cpan_regex or coalesce(GPFileName, "") in ("cpan","cpanm") or coalesce(GPCommandLine, "") matches regex cpan_regex or (ToolFileName =~ "perl" and ToolCommandLine matches regex cpan_regex) or (coalesce(GPFileName, "") =~ "perl" and coalesce(GPCommandLine, "") matches regex cpan_regex) | project TimeGenerated, DeviceName, AccountName, ShellFileName = FileName, ShellCommandLine = ProcessCommandLine, ToolFileName, ToolCommandLine, CpanAncestorFile = GPFileName, CpanAncestorCmd = GPCommandLine | order by TimeGenerated desc; ShellsWithAncestors // Optional: identify which tool most commonly spawns shells in this context // | summarize ShellLaunches = count(), ExampleShellCmds = make_set(ShellCommandLine, 3) by DeviceName, ToolFileName, ToolCommandLine // | order by ShellLaunches desc

let perl_tools = dynamic(["cpan","cpanm","ppm","cpanp","cpan2dist","cpanplus","cpanminus"]); let perl_procs = DeviceProcessEvents | where isnotempty(FileName) and (tolower(FileName) has_any(perl_tools) or tolower(ProcessCommandLine) has_any(perl_tools)) | extend PerlTool = case( tolower(FileName) contains "cpanm" or tolower(ProcessCommandLine) contains "cpanm", "cpanm", tolower(FileName) contains "ppm" or tolower(ProcessCommandLine) contains "ppm", "ppm", tolower(FileName) contains "cpan" or tolower(ProcessCommandLine) contains "cpan", "cpan", "other") | project PerlTime=TimeGenerated, DeviceId, DeviceName, AccountName, PerlProcId=ProcessId, PerlFileName=FileName, PerlCmd=ProcessCommandLine, PerlCreationTime=ProcessCreationTime, PerlTool; let shells = DeviceProcessEvents | where isnotempty(FileName) and ( tolower(FileName) in ("sh","bash","zsh","dash","ksh") or tolower(ProcessCommandLine) contains "/bin/sh" or tolower(ProcessCommandLine) contains "/bin/bash" or tolower(ProcessCommandLine) contains "sh -c" or tolower(ProcessCommandLine) contains "bash -c" or tolower(ProcessCommandLine) contains "exec /bin/sh" ) | extend InitiatingId = tostring(InitiatingProcessId), InitiatingFile = tostring(InitiatingProcessFileName) | project ShellTime=TimeGenerated, DeviceId, DeviceName, ShellProcId=ProcessId, ShellFileName=FileName, ShellCmd=ProcessCommandLine, ShellCreationTime=ProcessCreationTime, InitiatingId, InitiatingFile; perl_procs | join kind=leftouter (shells) on DeviceId | where (tostring(PerlProcId) == InitiatingId) or (tolower(InitiatingFile) has_any(perl_tools)) | project DeviceName, DeviceId, PerlTool, PerlFileName, PerlCmd, PerlProcId, PerlCreationTime, ShellFileName, ShellCmd, ShellProcId, ShellCreationTime, ShellTime, InitiatingFile | summarize Count = count(), SampleShellCmd = any(ShellCmd), SamplePerlCmd = any(PerlCmd), FirstSeen = min(ShellTime), LastSeen = max(ShellTime) by PerlTool, PerlFileName, DeviceName, DeviceId, PerlProcId | order by FirstSeen desc | limit 500

let startTime = ago(1d); let endTime = now(); DeviceProcessEvents | where TimeGenerated between (startTime .. endTime) | where (tolower(InitiatingProcessFileName) contains "perl" or tolower(InitiatingProcessCommandLine) contains "perl" or tolower(InitiatingProcessFileName) contains "cpan" or tolower(InitiatingProcessCommandLine) contains "cpan" or tolower(InitiatingProcessFileName) contains "cpanm" or tolower(InitiatingProcessCommandLine) contains "cpanm") | where (tolower(FileName) contains "sh" or tolower(FileName) contains "bash" or tolower(FileName) contains "zsh" or tolower(FileName) contains "dash" or tolower(FileName) contains "ash") | project TimeGenerated, DeviceName, ShellFileName = FileName, ShellFolderPath = FolderPath, ShellCmdLine = ProcessCommandLine, ShellPid = ProcessId, ShellCreationTime = ProcessCreationTime, ToolName = InitiatingProcessFileName, ToolCmdLine = InitiatingProcessCommandLine, ToolProcessId = InitiatingProcessId, ParentCreated = InitiatingProcessCreationTime | order by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated > ago(7d) | where (ProcessCommandLine contains 'perl' or ProcessCommandLine contains 'cpan') | where (ProcessCommandLine contains 'sh' or ProcessCommandLine contains 'bash' or ProcessCommandLine contains 'shell') | join kind=inner ( DeviceInfo | where OSPlatform == 'Linux' ) on DeviceId | project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, ProcessCreationTime, DeviceId | order by ProcessCreationTime desc | limit 50

DeviceProcessEvents | where FolderPath startswith "/" | where InitiatingProcessFileName has_any ("perl", "cpan", "cpanm") | where ProcessCommandLine has_any ("/bin/sh", "system", "exec", "shell") | project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, ProcessId | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessCommandLine has_any ("perl", "cpan", "cpanm") | where FileName in~ ("sh", "bash", "zsh", "ksh", "dash") | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("sh", "bash", "dash", "zsh", "csh", "ksh") // Identify newly created shell-like processes | where InitiatingProcessFileName in~ ("cpan", "cpanm", "perl") or InitiatingProcessCommandLine has_any ("cpan", "cpanm") // Filter for shells spawned by cpan, cpanm, or perl | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, AccountName | order by TimeGenerated desc

DeviceProcessEvents | where (tolower(InitiatingProcessFileName) has_any ("cpan", "cpanm") or tolower(InitiatingProcessCommandLine) has_any ("cpan", "cpanm")) | where (tolower(FileName) has_any ("/bin/bash", "/bin/sh") or tolower(ProcessCommandLine) has_any ("/bin/bash", "/bin/sh", "bash", "sh")) | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessCommandLine contains "cpan" | where ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessCreationTime, ProcessId, InitiatingProcessId | order by TimeGenerated desc