Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains 'find /usr/bin -perm -4000'

DeviceProcessEvents | where ProcessCommandLine contains 'find' and ProcessCommandLine contains '/usr/bin' and ProcessCommandLine contains '-perm -4000' | project DeviceName, AccountName, ProcessCommandLine | distinct ProcessCommandLine

DeviceProcessEvents | where FileName == "find" | where ProcessCommandLine has "/usr/bin" and ProcessCommandLine has_any ("-perm /4000", "-perm -4000", "-perm +4000") | project TimeGenerated, DeviceName, AccountName, ProcessId, FileName, FolderPath, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has "find" and ProcessCommandLine has "/usr/bin" and ProcessCommandLine has "-perm" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "find" and ProcessCommandLine contains "/usr/bin" and ProcessCommandLine contains "-perm" and ProcessCommandLine contains "4000" or InitiatingProcessCommandLine contains "find" and InitiatingProcessCommandLine contains "/usr/bin" and InitiatingProcessCommandLine contains "-perm" and InitiatingProcessCommandLine contains "4000" | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName; let ProcessFind = DeviceProcessEvents | where FileName =~ "find" or ProcessCommandLine contains "find" | where ProcessCommandLine contains "/usr/bin" | where ProcessCommandLine contains "-perm" | where ProcessCommandLine contains "-4000" or ProcessCommandLine contains "/4000" or ProcessCommandLine contains "u=s" or ProcessCommandLine contains "u+s" | join kind=inner LinuxDevices on DeviceId | project Timestamp, DeviceId, DeviceName, AccountName, CommandLine=ProcessCommandLine, Source="DeviceProcessEvents"; let SyslogFind = DeviceEvents | join kind=inner LinuxDevices on DeviceId | extend SyslogText = coalesce(tostring(AdditionalFields.Message), tostring(AdditionalFields.msg), tostring(AdditionalFields.SyslogMessage), tostring(AdditionalFields.EventText), tostring(AdditionalFields.audispd_raw), tostring(AdditionalFields.rawlog), tostring(AdditionalFields)) | where isnotempty(SyslogText) | where SyslogText contains "find" and SyslogText contains "/usr/bin" and SyslogText contains "-perm" | where SyslogText contains "-4000" or SyslogText contains "/4000" or SyslogText contains "u=s" or SyslogText contains "u+s" | project Timestamp, DeviceId, DeviceName, AccountName, CommandLine=SyslogText, Source="DeviceEvents(Syslog/Audit)"; let Results = union ProcessFind, SyslogFind; Results | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), ExecCount=count(), Devices=make_set(DeviceName, 100) by CommandLine | order by LastSeen desc

// Find invocations of 'find' scanning /usr/bin for setuid files across process and syslog-like events // Timerange is provided by external function caller let findCmdPatterns = dynamic([ "find /usr/bin -perm -4000", "find /usr/bin -perm /4000", "find /usr/bin -perm -u=s", "find /usr/bin -type f -perm -4000", "find /usr/bin -type f -perm /u=s", "find /usr/bin -perm -g=s", "find /usr/bin -perm -o=s", "find /usr/bin -perm /u=s", "find /usr/bin -name '*suid*'" ]); // Helper: match any of the patterns case-insensitively let matchesPattern = (s:string) { tolower(s) | where s contains "find /usr/bin" and ( s contains "-perm" or s contains "-u=s" or s contains "-g=s" or s contains "-o=s" or s contains "-type f" ) }; // Search DeviceProcessEvents which most reliably contains full process command lines DeviceProcessEvents | where isnotempty(ProcessCommandLine) and tolower(FileName) contains "find" | where ProcessCommandLine contains "/usr/bin" or ProcessCommandLine contains " /usr/bin" or ProcessCommandLine contains "find /usr/bin" | where ProcessCommandLine contains "-perm" or ProcessCommandLine contains "-u=s" or ProcessCommandLine contains "-g=s" or ProcessCommandLine contains "-o=s" or ProcessCommandLine contains "-type" | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId | extend Source = "DeviceProcessEvents" // Also search DeviceEvents (syslog-ish) where command lines may be logged in AdditionalFields or ProcessCommandLine/InitiatingProcessCommandLine | union ( DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(AdditionalFields) | extend AF = tostring(AdditionalFields) | where (tolower(FileName) has "find") or (isnotempty(ProcessCommandLine) and (ProcessCommandLine contains "find /usr/bin" or ProcessCommandLine contains "/usr/bin -perm")) or (isnotempty(InitiatingProcessCommandLine) and (InitiatingProcessCommandLine contains "find /usr/bin" or InitiatingProcessCommandLine contains "/usr/bin -perm")) or (AF contains "find /usr/bin" or AF contains "-perm -4000" or AF contains "-perm /4000" or AF contains "-u=s") | project TimeGenerated, DeviceName, AccountName, ProcessId = InitiatingProcessId, ProcessCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, AF), InitiatingProcessFileName, FileName, FolderPath, ReportId | extend Source = "DeviceEvents" ) | distinct DeviceName, TimeGenerated, AccountName, ProcessId, ProcessCommandLine, Source, InitiatingProcessFileName, FileName, FolderPath, ReportId | order by TimeGenerated desc | limit 100

// Find invocations of 'find' scanning /usr/bin for setuid files let tstart = ago(7d); // DeviceProcessEvents: primary source for Linux process command lines let p = DeviceProcessEvents | where TimeGenerated >= tstart | where isnotempty(ProcessCommandLine) | extend Cmd = tostring(ProcessCommandLine), Account = coalesce(AccountName, InitiatingProcessAccountName) | project TimeGenerated, DeviceName, DeviceId, ProcessId, FileName, Cmd, Account; // DeviceEvents: may include ProcessCommandLine, InitiatingProcessCommandLine, or AdditionalFields let e = DeviceEvents | where TimeGenerated >= tstart | extend Cmd = coalesce(tostring(ProcessCommandLine), tostring(InitiatingProcessCommandLine), tostring(AdditionalFields)), Account = coalesce(AccountName, InitiatingProcessAccountName) | where isnotempty(Cmd) | project TimeGenerated, DeviceName, DeviceId, ProcessId = tolong(InitiatingProcessId), FileName, Cmd, Account; // DeviceFileEvents: initiating process command line let f = DeviceFileEvents | where TimeGenerated >= tstart | where isnotempty(InitiatingProcessCommandLine) | extend Cmd = tostring(InitiatingProcessCommandLine), Account = InitiatingProcessAccountName | project TimeGenerated, DeviceName, DeviceId, ProcessId = tolong(InitiatingProcessId), FileName, Cmd, Account; union p, e, f | extend lcCmd = tolower(Cmd) | where lcCmd contains "find" and (lcCmd contains "/usr/bin" or lcCmd contains "-perm" or lcCmd contains "4000" or lcCmd contains "u=s") | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), Devices=make_set(DeviceName), DeviceIds=make_set(DeviceId) by FullCommand = Cmd | order by FirstSeen desc | project FirstSeen, LastSeen, Count, Devices, DeviceIds, FullCommand | take 200

// Find invocations of `find` that target /usr/bin or use -perm/setuid patterns DeviceProcessEvents | where isnotempty(ProcessCommandLine) | extend cmd = tolower(ProcessCommandLine) | where cmd has 'find' and (cmd has '/usr/bin' or cmd has '-perm' or cmd has '4000' or cmd has '-u=s' or cmd has 'setuid' or cmd has '-type f') | extend FullCommand = trim(' ', ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessId, FullCommand, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable = 'DeviceProcessEvents' | union ( DeviceEvents | extend rawCmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields), '') | where rawCmd != '' | extend cmd = tolower(rawCmd) | where cmd has 'find' and (cmd has '/usr/bin' or cmd has '-perm' or cmd has '4000' or cmd has '-u=s' or cmd has 'setuid' or cmd has '-type f') | extend FullCommand = trim(' ', rawCmd) | project TimeGenerated, DeviceName, ProcessId, FullCommand, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable = 'DeviceEvents' ) | sort by TimeGenerated desc | distinct FullCommand, DeviceName, ProcessId, TimeGenerated, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable | take 200

let startTime = ago(1d); let endTime = now(); let linux_find_process = DeviceProcessEvents | where TimeGenerated between (startTime .. endTime) | where InitiatingProcessCommandLine contains "find" | where InitiatingProcessCommandLine contains "/usr/bin" | where InitiatingProcessCommandLine contains "-perm" and ((InitiatingProcessCommandLine contains "4000") or (InitiatingProcessCommandLine contains "-4000")) | join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId | where OSPlatform contains "Linux" | project TimeGenerated, DeviceName, OSPlatform, CommandLine = InitiatingProcessCommandLine; let linux_syslog = DeviceEvents | where TimeGenerated between (startTime .. endTime) | where Type has "Syslog" | extend SyslogText = tostring(AdditionalFields) | where SyslogText contains "find" and SyslogText contains "/usr/bin" | join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId | where OSPlatform contains "Linux" | project TimeGenerated, DeviceName, OSPlatform, CommandLine = SyslogText; linux_find_process | union linux_syslog | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend CmdLine = iff(isnotempty(InitiatingProcessCommandLine), InitiatingProcessCommandLine, ProcessCommandLine) | where tolower(CmdLine) contains "find" | where tolower(CmdLine) contains "/usr/bin" | where (tolower(CmdLine) contains "-perm" and (tolower(CmdLine) contains "4000" or tolower(CmdLine) contains "04000")) or (tolower(CmdLine) contains "setuid") | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, CmdLine | sort by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated > ago(30d) | where FileName == 'find' | where ProcessCommandLine contains '/usr/bin' | where ProcessCommandLine contains '-perm -4000' or ProcessCommandLine contains '-perm -u=s' | project Timestamp, DeviceName, AccountName, ProcessCommandLine | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine contains "find" and ProcessCommandLine contains "/usr/bin" and ProcessCommandLine contains "-perm" | project TimeGenerated, DeviceName, DeviceId, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform =~ "Linux" ) on DeviceId | where FileName endswith "find" | where ProcessCommandLine has "/usr/bin" and ProcessCommandLine has "-perm" and ProcessCommandLine has "4000" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName =~ "find" or ProcessCommandLine contains "find" | where ProcessCommandLine has "/usr/bin" and ProcessCommandLine has "-perm" | where ProcessCommandLine has "4000" or ProcessCommandLine has "u=s" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

// --- Find invocations of the "find" utility that search /usr/bin for set-uid files let cmdRegex = @"-perm\s+(-?[0-7]*4000|/[0-7]*4000|u=s)"; let LinuxDevices = union isfuzzy=true ( DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId ) ; union isfuzzy=true ( DeviceProcessEvents | where DeviceId in (LinuxDevices) // limit to Linux hosts | where FileName == "find" | where ProcessCommandLine has "/usr/bin" | where ProcessCommandLine matches regex cmdRegex | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, FullCommandLine = ProcessCommandLine, InitiatingProcessCommandLine ), ( Syslog | where SyslogMessage has "find" and SyslogMessage has "/usr/bin" | where SyslogMessage matches regex cmdRegex | project TimeGenerated, DeviceName = Computer, DeviceId = tostring(extract("deviceId=([0-9A-Fa-f-]+)", 1, _ResourceId)), AccountDomain = "", AccountName = User, FullCommandLine = SyslogMessage, InitiatingProcessCommandLine = "" ) | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "find" and InitiatingProcessCommandLine has "/usr/bin" and (InitiatingProcessCommandLine contains "4000" or InitiatingProcessCommandLine contains "setuid") | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "find" and InitiatingProcessCommandLine has "/usr/bin" | where InitiatingProcessCommandLine has "-perm" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId ) on DeviceId // Look for the 'find' binary and arguments scanning /usr/bin for setuid files | where FileName == "find" | where ProcessCommandLine contains "/usr/bin" | where ProcessCommandLine contains "-perm" | where ProcessCommandLine contains "4000" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine | sort by TimeGenerated desc