Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains 'HISTSIZE=0' | project DisableHistoryTime = ProcessCreationTime, DeviceId, Initiator_ProcessId = ProcessId | join kind=inner (DeviceProcessEvents | project CommandExecuted = ProcessCommandLine, ExecutionTime = ProcessCreationTime, DeviceId, PrevProcessId = InitiatingProcessId) on DeviceId | where PrevProcessId == Initiator_ProcessId and ExecutionTime > DisableHistoryTime | project CommandExecuted, TimeDifference = ExecutionTime - DisableHistoryTime | top 1 by TimeDifference asc

DeviceProcessEvents | where ProcessCommandLine contains "HISTSIZE=0" | project DeviceId, AccountName, CreatedProcessSessionId, TimeHIST=ProcessCreationTime | join kind=inner ( DeviceProcessEvents | project DeviceId, AccountName, CreatedProcessSessionId, ProcessCreationTime, ProcessCommandLine ) on DeviceId, AccountName, CreatedProcessSessionId | where ProcessCreationTime > TimeHIST | summarize NextTime=min(ProcessCreationTime), NextCommand=any(ProcessCommandLine) by DeviceId, AccountName, CreatedProcessSessionId, TimeHIST | order by TimeHIST desc | project DeviceId, AccountName, TimeHIST, NextTime, NextCommand

let hist_command = toscalar( DeviceProcessEvents | where ProcessCommandLine contains "HISTSIZE=0" | summarize max(Timestamp) ); DeviceProcessEvents | where Timestamp > hist_command | top 1 by Timestamp asc | project CommandLine = ProcessCommandLine

let disableHistoryCmd = DeviceProcessEvents | where ProcessCommandLine contains "export HISTSIZE=0" | project DeviceId, DeviceName, ProcessCommandLine, HistDisableTime=ProcessCreationTime; DeviceProcessEvents | join kind=inner (disableHistoryCmd) on DeviceId | where ProcessCreationTime > HistDisableTime | project ProcessCommandLine, NextCommandTime=ProcessCreationTime | top 1 by NextCommandTime asc

let linux = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId, DeviceName; // 1) History disabled via export in a shell command; get the first spawned child process (the next command) let hist_shell = DeviceProcessEvents | where DeviceId in (linux | project DeviceId) | where isnotempty(ProcessCommandLine) | where FileName in~ ("bash","sh","zsh","ksh","dash") | extend ShellTime = coalesce(ProcessCreationTime, TimeGenerated) | where ProcessCommandLine matches regex "(?i)(^|\\s)export\\s+HISTSIZE\\s*=\\s*0(?:\\s|;|&&|\\|\\||$)" | project DeviceId, ShellProcId=ProcessId, ShellCommand=ProcessCommandLine, ShellTime; let children = DeviceProcessEvents | extend ChildTime = coalesce(ProcessCreationTime, TimeGenerated) | project DeviceId, InitiatingProcessId, ChildTime, NextFile=FileName, NextCommand=ProcessCommandLine, ChildProcId=ProcessId; let next_after_export = hist_shell | join kind=inner (children) on $left.DeviceId == $right.DeviceId and $left.ShellProcId == $right.InitiatingProcessId | where ChildTime >= ShellTime and ChildTime <= ShellTime + 15m | summarize arg_min(ChildTime, *) by DeviceId, ShellProcId, ShellTime, ShellCommand | join kind=leftouter (linux) on DeviceId | project TimeOfHistOff=ShellTime, DeviceName, DeviceId, ShellCommand, NextCommandTime=ChildTime, NextFile, NextCommand; // 2) Inline form: HISTSIZE=0 <cmd>; extract the command following the assignment let inline_form = DeviceProcessEvents | where DeviceId in (linux | project DeviceId) | where isnotempty(ProcessCommandLine) | extend PTime = coalesce(ProcessCreationTime, TimeGenerated) | where ProcessCommandLine matches regex "(?i)^\\s*HISTSIZE\\s*=\\s*0\\s+.+$" | extend ExtractedNext = trim(' ', extract("(?i)^\\s*HISTSIZE\\s*=\\s*0\\s+(.+)$", 1, ProcessCommandLine)) | project TimeOfHistOff=PTime, DeviceName, DeviceId, ShellCommand=ProcessCommandLine, NextCommandTime=PTime, NextFile=FileName, NextCommand=ExtractedNext; union isfuzzy=true next_after_export, inline_form | order by TimeOfHistOff asc

let histEvents = DeviceProcessEvents | where Timestamp between (startofday(ago(30d)) .. now()) | where ProcessCommandLine has "HISTSIZE=0" or ProcessCommandLine has "export HISTSIZE=0" or ProcessCommandLine has "HISTSIZE= 0" | project DeviceName, Account = InitiatingProcessAccountName, Timestamp, ProcessCreationTime, ProcessId, ProcessCommandLine, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessFileName; histEvents | join kind=inner ( DeviceProcessEvents | where Timestamp between (startofday(ago(30d)) .. now()) | project DeviceName2 = DeviceName, Account2 = InitiatingProcessAccountName, Timestamp2 = Timestamp, ProcessCreationTime2 = ProcessCreationTime, ProcessId2 = ProcessId, ProcessCommandLine2 = ProcessCommandLine, FileName2 = FileName ) on $left.DeviceName == $right.DeviceName2 and $left.Account == $right.Account2 | where ProcessCreationTime2 > ProcessCreationTime and ProcessCreationTime2 <= ProcessCreationTime + 1m | summarize arg_min(ProcessCreationTime2, *) by ProcessId | project DeviceName, Account, HistEventTime = Timestamp, HistCommand = ProcessCommandLine, NextProcessTime = ProcessCreationTime2, NextProcessId = ProcessId2, NextCommand = ProcessCommandLine2, NextFile = FileName2 | order by NextProcessTime asc | take 10

let exports = DeviceProcessEvents | where (isnotempty(ProcessCommandLine) and tostring(ProcessCommandLine) contains "HISTSIZE=0") or (isnotempty(InitiatingProcessCommandLine) and tostring(InitiatingProcessCommandLine) contains "HISTSIZE=0") | project ExportTime = TimeGenerated, DeviceId, DeviceName, ExportAccount = AccountName, ExportProcessId = ProcessId, ExportCmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), ExportCreatedSessionId = CreatedProcessSessionId, ExportInitiatingSessionId = InitiatingProcessSessionId, ExportProcessCreationTime = ProcessCreationTime; let procs = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | project ProcTime = TimeGenerated, DeviceId, ProcAccount = AccountName, ProcId = ProcessId, ProcCmd = ProcessCommandLine, ProcCreatedSessionId = CreatedProcessSessionId, ProcInitiatingSessionId = InitiatingProcessSessionId, ProcCreationTime = ProcessCreationTime; // Find the nearest subsequent process on the same device that matches account or session (within 5 minutes) exports | join kind=inner procs on DeviceId | where ProcTime > ExportTime and ProcTime - ExportTime <= time(5m) | where ProcAccount == ExportAccount or ProcCreatedSessionId == ExportCreatedSessionId or ProcInitiatingSessionId == ExportInitiatingSessionId | summarize NextTime = min(ProcTime) by ExportTime, DeviceId, DeviceName, ExportAccount, ExportCmd, ExportCreatedSessionId, ExportInitiatingSessionId // Get the command line for that next process | join kind=inner procs on $left.DeviceId == $right.DeviceId and $left.NextTime == $right.ProcTime | project ExportTime, DeviceId, DeviceName, AccountName = ExportAccount, ExportCommand = ExportCmd, SubsequentCommand = ProcCmd, SubsequentProcTime = ProcTime, SubsequentProcessId = ProcId | order by ExportTime desc | take 50

let WindowSeconds = 10s; let hist = DeviceProcessEvents | where tostring(ProcessCommandLine) has_any ("HISTSIZE=0", "export HISTSIZE=0") or tostring(InitiatingProcessCommandLine) has_any ("HISTSIZE=0", "export HISTSIZE=0") | project Hist_Time = TimeGenerated, DeviceId, DeviceName, Hist_ProcessId = ProcessId, Hist_CommandLine = tostring(ProcessCommandLine), Hist_InitiatingProcessId = InitiatingProcessId, Hist_InitiatingProcessCommandLine = tostring(InitiatingProcessCommandLine), AccountName, AccountDomain; let next = DeviceProcessEvents | project Next_Time = TimeGenerated, DeviceId, Next_ProcessId = ProcessId, Next_CommandLine = tostring(ProcessCommandLine), Next_InitiatingProcessId = InitiatingProcessId, Next_InitiatingProcessCommandLine = tostring(InitiatingProcessCommandLine), AccountNameNext = AccountName, AccountDomainNext = AccountDomain; hist | join kind=inner (next) on DeviceId | where Next_Time > Hist_Time and Next_Time <= Hist_Time + WindowSeconds | summarize MinNextTime = min(Next_Time) by Hist_Time, DeviceId, DeviceName, Hist_ProcessId, Hist_CommandLine, Hist_InitiatingProcessCommandLine, AccountName, AccountDomain | join kind=inner ( next ) on $left.DeviceId == $right.DeviceId and $left.MinNextTime == $right.Next_Time | project DeviceName, DeviceId, HIST_Time = Hist_Time, Hist_ProcessId, Hist_CommandLine, Next_Time = MinNextTime, Next_ProcessId, Next_CommandLine, Next_InitiatingProcessCommandLine, AccountName, AccountDomain | order by HIST_Time desc

let Hist = DeviceProcessEvents | where (InitiatingProcessCommandLine contains_cs "export HISTSIZE=0" or ProcessCommandLine contains_cs "export HISTSIZE=0" or InitiatingProcessCommandLine contains_cs "HISTSIZE=0" or ProcessCommandLine contains_cs "HISTSIZE=0") | project HistoryTime = TimeGenerated, HistoryDeviceId = DeviceId, HistorySession = CreatedProcessSessionId, HistoryCmdLine = InitiatingProcessCommandLine, HistoryProc = InitiatingProcessFileName; let Nexts = DeviceProcessEvents | project NextTime = TimeGenerated, NextDeviceId = DeviceId, NextSession = CreatedProcessSessionId, NextCmdLine = InitiatingProcessCommandLine, NextProc = InitiatingProcessFileName; Hist | join kind=inner (Nexts) on $left.HistoryDeviceId == $right.NextDeviceId and $left.HistorySession == $right.NextSession | where NextTime > HistoryTime | summarize arg_min(NextTime, NextCmdLine, NextProc) by HistoryTime, HistoryDeviceId, HistorySession, HistoryCmdLine, HistoryProc | project HistoryTime, HistoryDeviceId, HistorySession, HistoryCmdLine, HistoryProc, NextTime, NextCmdLine, NextProc

let hist = DeviceProcessEvents | where InitiatingProcessFileName in ("bash","sh","zsh","dash") | where InitiatingProcessCommandLine contains "HISTSIZE=0" or InitiatingProcessCommandLine contains "export HISTSIZE=0" | project hist_time = InitiatingProcessCreationTime, hist_line = InitiatingProcessCommandLine, session = InitiatingProcessSessionId; let cand = DeviceProcessEvents | where InitiatingProcessFileName in ("bash","sh","zsh","dash") | project cand_time = InitiatingProcessCreationTime, cand_line = InitiatingProcessCommandLine, session = InitiatingProcessSessionId; hist | join kind=inner (cand) on session | where cand_time > hist_time | summarize next_time = min(cand_time) by hist_time, hist_line, session | join kind=inner (cand) on session | where cand_time == next_time | project hist_time, hist_line, next_command = cand_line | order by hist_time asc

DeviceProcessEvents | where Timestamp > ago(90d) | where ProcessCommandLine contains "HISTSIZE=0" or InitiatingProcessCommandLine contains "HISTSIZE=0" | project Timestamp, DeviceId, DeviceName, AccountName, HistoryDisableCommandLine = ProcessCommandLine, InitiatingCommandLine = InitiatingProcessCommandLine | join kind=inner ( DeviceProcessEvents | where Timestamp > ago(90d) | project Timestamp, DeviceId, AccountName, NextCommandLine = ProcessCommandLine, NextTimestamp = Timestamp ) on DeviceId, AccountName | where NextTimestamp > Timestamp | summarize arg_min(NextTimestamp, NextCommandLine) by Timestamp, DeviceId, DeviceName, AccountName, HistoryDisableCommandLine, InitiatingCommandLine | project Timestamp, DeviceName, AccountName, HistoryDisableCommandLine, NextCommandLine, NextTimestamp | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine contains "export HISTSIZE=0" | project DeviceId, HistoryTime = TimeGenerated | join kind=inner ( DeviceProcessEvents ) on DeviceId | where TimeGenerated > HistoryTime | summarize arg_min(TimeGenerated, NextCommand=ProcessCommandLine) by DeviceId, HistoryTime | project NextCommand | distinct NextCommand

DeviceProcessEvents | where ActionType == "ProcessCreated" | order by DeviceId asc, TimeGenerated asc | serialize | extend NextCommandLine = next(ProcessCommandLine) | extend NextProcessTime = next(TimeGenerated) | where ProcessCommandLine has "export HISTSIZE=0" | project DeviceName, NextProcessTime, NextCommandLine | order by NextProcessTime asc

// Find processes where HISTSIZE was disabled let TurnOffHistory = DeviceProcessEvents | where ProcessCommandLine has "export HISTSIZE=0" | project DeviceId, AccountSid, TurnOffTime=ProcessCreationTime; // Join against all DeviceProcessEvents to find the earliest next command TurnOffHistory | join kind=inner ( DeviceProcessEvents | project DeviceId, AccountSid, ProcessCreationTime, ProcessCommandLine ) on DeviceId, AccountSid | where ProcessCreationTime > TurnOffTime | summarize arg_min(ProcessCreationTime, *) by DeviceId, AccountSid, TurnOffTime | project DeviceId, AccountSid, TurnOffTime, NextCommand=ProcessCommandLine

// Find the very first process that ran after the operator turned off bash history (export HISTSIZE=0) // Time range is controlled by the surrounding workbook / hunting page and will be supplied automatically let HistoryOffEvents = DeviceProcessEvents | where ProcessCommandLine matches regex @"\bexport\b.*\bHISTSIZE\s*=\s*0\b" | project DeviceId, SessionId = InitiatingProcessSessionId, HistOffTime = TimeGenerated, HistOffCmd = ProcessCommandLine; // For each “history-off” event, get the next command seen in the same device + shell session DeviceProcessEvents | extend SessionId = InitiatingProcessSessionId | join kind=inner (HistoryOffEvents) on DeviceId, SessionId | where TimeGenerated > HistOffTime // only events occurring after the export | summarize arg_min(TimeGenerated, ProcessCommandLine) // pick the earliest one after the export by DeviceId, SessionId, HistOffTime, HistOffCmd | project DeviceId, SessionId, HistOffTime, HistOffCmd, NextCommandTime = TimeGenerated, NextCommand = ProcessCommandLine | order by HistOffTime asc

let disableEvents = DeviceProcessEvents | where InitiatingProcessCommandLine contains "export HISTSIZE=0" | project CreatedProcessSessionId, disable_time = ProcessCreationTime; DeviceProcessEvents | join kind=inner (disableEvents) on CreatedProcessSessionId | where ProcessCreationTime > disable_time | summarize nextCmd = arg_min(ProcessCreationTime, ProcessCommandLine) by CreatedProcessSessionId, disable_time | project nextCmd

let disableEvents = DeviceProcessEvents | where ProcessCommandLine contains "HISTSIZE=0" | project DeviceId, DisableTime = ProcessCreationTime, DisableCommand = ProcessCommandLine; let subsequentCommands = DeviceProcessEvents | project DeviceId, ProcessCreationTime, NextCommand = ProcessCommandLine; disableEvents | join kind=inner (subsequentCommands) on DeviceId | where ProcessCreationTime > DisableTime | summarize FirstSubsequentCommand = arg_min(ProcessCreationTime, NextCommand) by DeviceId, DisableTime, DisableCommand | project DeviceId, DisableTime, DisableCommand, FirstSubsequentCommand | limit 1

let histOff = DeviceProcessEvents | where ProcessCommandLine has "HISTSIZE=0" | project DeviceId, Session = CreatedProcessSessionId, histTime = TimeGenerated; histOff | join kind=inner ( DeviceProcessEvents | project DeviceId, Session = CreatedProcessSessionId, nextTime = TimeGenerated, nextCmd = ProcessCommandLine ) on DeviceId, Session | where nextTime > histTime | summarize arg_min(nextTime, nextCmd) by DeviceId, Session | project DeviceId, CommandRunAfterHistOff = nextCmd, TimeRun = nextTime