Question Analysis

let ShadowRedirects = DeviceProcessEvents | join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId | where OSPlatform =~ "Linux" | where ActionType == "ProcessCreated" | where ProcessCommandLine has "/etc/shadow" and (ProcessCommandLine contains '>' or ProcessCommandLine has 'tee') // Extract redirection targets: >, >>, 1>, 1>> with optional quotes | extend redirect_dq = extract(@'(?:(?:^|[\s;|&]))(?:\d?>{1,2})\s*"(.*?)"', 1, ProcessCommandLine) | extend redirect_sq = extract(@'(?:(?:^|[\s;|&]))(?:\d?>{1,2})\s*''([^'']+)''', 1, ProcessCommandLine) | extend redirect_uq = extract(@'(?:(?:^|[\s;|&]))(?:\d?>{1,2})\s*([^\s;|&]+)', 1, ProcessCommandLine) // Extract tee target (first non-option arg after tee) | extend tee_dq = extract(@'\btee\b\s+(?:-[A-Za-z-]+\s+)*"(.*?)"', 1, ProcessCommandLine) | extend tee_sq = extract(@'\btee\b\s+(?:-[A-Za-z-]+\s+)*''([^'']+)''', 1, ProcessCommandLine) | extend tee_uq = extract(@'\btee\b\s+(?:-[A-Za-z-]+\s+)*([^\s;|&]+)', 1, ProcessCommandLine) | extend OutputPath = coalesce(redirect_dq, redirect_sq, redirect_uq, tee_dq, tee_sq, tee_uq) | where isnotempty(OutputPath) // Elevated process heuristics | where tolower(AccountName) == "root" or tolower(InitiatingProcessAccountName) == "root" or tostring(ProcessTokenElevation) =~ "Elevated" or tostring(InitiatingProcessTokenElevation) =~ "Elevated" or ProcessCommandLine has "sudo " or ProcessCommandLine has "su -c" | extend OutputFileName = tostring(extract(@'([^/\\]+)$', 1, OutputPath)) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, ProcessCommandLine, OutputPath, OutputFileName; // Report the file name(s) used to store results ShadowRedirects | summarize Events=count(), Devices=dcount(DeviceId), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by OutputFileName, OutputPath | order by LastSeen desc

let shadow_patterns = dynamic(["/etc/shadow","etc/shadow","shadow"]); // Find process events where the initiating process command line reads /etc/shadow and uses redirection DeviceProcessEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) | where isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) | extend cmd = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | where cmd has "/etc/shadow" or cmd has "etc/shadow" | where cmd matches regex @"[>]{1,2}\s*[^\s]+$" or cmd contains ">" or cmd contains ">>" | extend redirected = extract(@"[>]{1,2}\s*([^\s]+)$", 1, cmd) | extend redirected = trim('\"''', redirected) | extend InitiatingAccount = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName) | project TimeGenerated, DeviceName, InitiatingAccount, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, ProcessCommandLine, redirected | where isnotempty(redirected) | summarize any(InitiatingProcessFileName), any(DeviceName), any(InitiatingAccount), any(InitiatingProcessId), make_set(redirected) by redirected | order by tostring(redirected) asc // Additionally, search DeviceFileEvents for writes that could be the target file | union ( DeviceFileEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) | where ActionType in ("FileCreated", "FileModified", "FileWritten", "FileCreatedByProcess") or FileName has_any ("shadow", "shadow_export") | extend fullpath = strcat(FolderPath, "/", FileName) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, fullpath ) | summarize by redirected

let LinuxDevices = DeviceInfo | where OSPlatform startswith "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) // Command reads /etc/shadow and uses a redirection operator | where ProcessCommandLine has "/etc/shadow" and ProcessCommandLine contains ">" // Running with elevated privileges | extend IsElevated = iff(tolower(AccountName) == "root" or tolower(InitiatingProcessAccountName) == "root" or tostring(ProcessTokenElevation) contains "Elevated" or tostring(ProcessTokenElevation) contains "Root", true, false) | where IsElevated // Extract the file name/path that receives the redirected output | extend RedirectedFile = trim('"\'"', tostring(extract(@"(?:>>?)\s*([^\s]+)", 1, ProcessCommandLine))) | where isnotempty(RedirectedFile) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, RedirectedFile | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "/etc/shadow" and ProcessCommandLine contains ">" | extend output_file = extract(@">\s*(\S+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessCommandLine, output_file | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "/etc/shadow" | where InitiatingProcessCommandLine contains ">" | extend output_file = extract(@">\s*([^\s]+)", 1, InitiatingProcessCommandLine) | where isnotempty(output_file) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, output_file | distinct output_file

DeviceProcessEvents // Only processes run by root | where AccountName == "root" // Look for reading /etc/shadow and using shell redirection (> or >>) | where ProcessCommandLine has "/etc/shadow" and ProcessCommandLine matches regex @"\>{1,2}" // Extract the path/file following the redirection operator | extend OutputFile = extract(@"\>{1,2}\s*(\S+)", 1, ProcessCommandLine) | where isnotempty(OutputFile) // Show relevant fields | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, OutputFile // Summarize to see unique files and their timelines | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count() by OutputFile, DeviceName, AccountName | order by LastSeen desc

DeviceProcessEvents | where ProcessCommandLine contains "/etc/shadow" | where ProcessCommandLine matches regex @">\s*\S+" | where InitiatingProcessAccountName == "root" | extend OutputFile = extract(@">\s*(\S+)", 1, ProcessCommandLine) | where isnotempty(OutputFile) | distinct OutputFile