Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in ("date", "timedatectl") | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine

DeviceProcessEvents | where ActionType == 'ProcessCreated' | where ProcessCommandLine has 'date' or ProcessCommandLine has 'timedatectl' or ProcessCommandLine has 'hwclock' | where (FolderPath contains '/bin' or FolderPath contains '/usr') | distinct DeviceName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessCommandLine, InitiatingProcessParentFileName | limit 100

DeviceProcessEvents | where FileName in~ ('date', 'timedatectl', 'hwclock', 'cat') and (ProcessCommandLine has_any ('timedatectl', 'date', 'hwclock', '/etc/timezone', '/etc/localtime')) // If possible, join to DeviceInfo to further restrict to Linux //| join kind=inner (DeviceInfo | where OSPlatform =~ 'Linux') on DeviceId | extend CmdLower = tolower(ProcessCommandLine) | where CmdLower has_any ('timedatectl', 'date', 'hwclock', 'cat /etc/timezone', 'cat /etc/localtime') | project TimeGenerated, DeviceId, DeviceName, AccountName, FileName, ProcessCommandLine | sort by TimeGenerated desc | summarize arg_min(TimeGenerated, *) by ProcessCommandLine, DeviceId | take 100

// Collect observed process execution events related to time and timezone information being queried on the host let processEvents = DeviceProcessEvents | where ProcessCommandLine contains "date" or ProcessCommandLine contains "timedatectl"; // Output collected process execution events processEvents | extend ProvidesTimeInfo = true | project AccountName, AccountDomain, DeviceName, Timestamp, FileName, InitiatingProcessCommandLine, ProvidesTimeInfo, ProcessCommandLine // Return up to the first 1 record from the filtered results | limit 1

DeviceProcessEvents | where ProcessCommandLine matches regex @"(?i)\b(date|timedatectl|hwclock|cat\s+/etc/timezone)\b" | project DeviceName, ProcessCreationTime, ProcessCommandLine | order by ProcessCreationTime desc

let linux = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, DeviceName; let tz_execs = dynamic(["timedatectl","hwclock","zdump","tzselect","chronyc","ntpq","ntpstat"]); let tz_paths = dynamic(["/etc/localtime","/etc/timezone","/usr/share/zoneinfo","/etc/sysconfig/clock","/etc/adjtime","/proc/driver/rtc","/proc/rtc"]); let tz_readers = dynamic(["readlink","realpath","stat","ls","file","cat","grep","strings"]); let date_flags = dynamic(["+%Z","+%z","-R","--rfc-2822","--rfc-3339"]); DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=innerunique linux on DeviceId | where FileName in~ (tz_execs) or (FileName =~ "date" and ProcessCommandLine has_any (date_flags)) or (ProcessCommandLine matches regex @"\bdate(\.utc)?\b.*(\+%Z|\+%z|--rfc-3339|--rfc-2822|-R)") or (FileName in~ (tz_readers) and ProcessCommandLine has_any (tz_paths)) or (ProcessCommandLine matches regex @"\bTZ=[^ \t;]+") or (FileName in~ ("sh","bash","sudo") and ProcessCommandLine has_any (tz_execs)) | extend FullCommand = coalesce(ProcessCommandLine, strcat(FolderPath, "/", FileName)) | summarize arg_max(TimeGenerated, *) by DeviceId, ProcessId, FullCommand | project-rename LastSeen = TimeGenerated | project LastSeen, DeviceName, DeviceId, AccountName, FileName, FullCommand, InitiatingProcessParentFileName, InitiatingProcessCommandLine | order by LastSeen desc | take 1000

// Regex for common Linux time/timezone commands (case-insensitive) let time_regex = @"(?i)\b(date|/bin/date|timedatectl|timedatectl\s+status|hwclock|/usr/sbin/hwclock|/sbin/hwclock|zdump|readlink|cat\s+/etc/(?:timezone|localtime)|ls\s+-l\s+/etc/localtime)\b"; // Search DeviceProcessEvents and DeviceEvents for matching command lines union isfuzzy=true ( DeviceProcessEvents | project SourceTable = "DeviceProcessEvents", Timestamp, DeviceName, DeviceId, AccountName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ), ( DeviceEvents | project SourceTable = "DeviceEvents", Timestamp, DeviceName, DeviceId, AccountName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ) | extend Cmd = coalesce(tostring(ProcessCommandLine), tostring(InitiatingProcessCommandLine)) | where isnotempty(Cmd) | where Cmd matches regex time_regex | extend Matched = extract(time_regex, 1, Cmd) | summarize LatestTimestamp = max(Timestamp), AnyDeviceName = any(DeviceName), AnyAccount = any(AccountName), AnyProcessId = any(ProcessId), AnyProcessCreationTime = any(ProcessCreationTime), AnyFileName = any(FileName), AnyInitiatingProcessFileName = any(InitiatingProcessFileName), AnyInitiatingProcessCommandLine = any(tostring(InitiatingProcessCommandLine)) by DeviceId, Cmd | project DeviceId, DeviceName = AnyDeviceName, Time = LatestTimestamp, Account = AnyAccount, ProcessId = AnyProcessId, ProcessCreationTime = AnyProcessCreationTime, FileName = AnyFileName, FullCommandLine = Cmd, InitiatingProcessFileName = AnyInitiatingProcessFileName, InitiatingProcessCommandLine = AnyInitiatingProcessCommandLine | order by Time desc | take 200

// Find Linux processes that queried system time or timezone let time_cmds = dynamic(["date","timedatectl","/etc/timezone","/etc/localtime","readlink","hwclock","chronyc","timedatectl status","date -R","date --rfc-2822","timedatectl show"]); // Search DeviceProcessEvents first (recommended) and fall back to DeviceEvents let dp = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where TimeGenerated >= ago(30d) | where tolower(ProcessCommandLine) has_any (dynamic(["date","timedatectl","/etc/timezone","/etc/localtime","readlink","hwclock","chronyc"])) | extend Matched = extract(@"(?i)(date[^\n]*|timedatectl[^\n]*|readlink[^\n]*|/etc/timezone[^\n]*|/etc/localtime[^\n]*|hwclock[^\n]*|chronyc[^\n]*)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, AccountName, AccountDomain, Matched, ReportId; let de = DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | where TimeGenerated >= ago(30d) | where (tolower(ProcessCommandLine) has_any (dynamic(["date","timedatectl","/etc/timezone","/etc/localtime","readlink","hwclock","chronyc"])) or tolower(InitiatingProcessCommandLine) has_any (dynamic(["date","timedatectl","/etc/timezone","/etc/localtime","readlink","hwclock","chronyc"]))) | extend FullCommand = iff(isnotempty(ProcessCommandLine), ProcessCommandLine, InitiatingProcessCommandLine) | extend Matched = extract(@"(?i)(date[^\n]*|timedatectl[^\n]*|readlink[^\n]*|/etc/timezone[^\n]*|/etc/localtime[^\n]*|hwclock[^\n]*|chronyc[^\n]*)", 1, FullCommand) | project TimeGenerated, DeviceName, ProcessId, FileName, FullCommand, AccountName = coalesce(AccountName, InitiatingProcessAccountName), AccountDomain = coalesce(AccountDomain, InitiatingProcessAccountDomain), Matched, ReportId; union dp, de | sort by TimeGenerated desc | distinct TimeGenerated, DeviceName, ProcessId, FileName, FullCommand = coalesce(ProcessCommandLine, FullCommand), AccountName, AccountDomain, Matched, ReportId | take 100

// Search for commands that query system time/timezone on Linux hosts // Adjust the time range using the query tool UI or add a where TimeGenerated filter let timeKeywordsRegex = @"\b(date|timedatectl|hwclock|tzselect|zdump|chronyc|clock|clock_gettime|timedatectl\s+show|timedatectl\s+status|timedatectl\s+list-timezones)\b|/etc/(timezone|localtime)"; ( DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // Heuristic to focus on Linux-like hosts: device name contains linux or command line contains a Unix path | where tolower(DeviceName) contains "linux" or ProcessCommandLine contains "/" or FileName startswith "/" // Look for common time/timezone utilities, files, and flags using regex | where (ProcessCommandLine has " " and tolower(ProcessCommandLine) matches regex tolower(timeKeywordsRegex)) or tolower(FileName) matches regex tolower(timeKeywordsRegex) or tolower(ProcessCommandLine) matches regex tolower(timeKeywordsRegex) | extend SourceTable = "DeviceProcessEvents" | project TimeGenerated, DeviceName, AccountName, AccountDomain, ProcessCreationTime, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SourceTable, ReportId ) | union ( DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where tolower(DeviceName) contains "linux" or ProcessCommandLine contains "/" or FileName startswith "/" | where (ProcessCommandLine has " " and tolower(ProcessCommandLine) matches regex tolower(timeKeywordsRegex)) or tolower(FileName) matches regex tolower(timeKeywordsRegex) or tolower(ProcessCommandLine) matches regex tolower(timeKeywordsRegex) | extend SourceTable = "DeviceEvents" | project TimeGenerated, DeviceName, AccountName, AccountDomain, ProcessCreationTime, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SourceTable, ReportId ) | sort by TimeGenerated desc | take 200

let LinuxDevices = DeviceInfo | where OSPlatform has "Linux" or OSDistribution has "Linux" | project DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where InitiatingProcessCommandLine has_any ("date","timedatectl","localectl","clock","hwclock","gettimeofday") | extend InitiatingFullPath = strcat(InitiatingProcessFolderPath, "/", InitiatingProcessFileName) | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingFullPath, InitiatingProcessCommandLine, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated between (ago(1d) .. now()) | where (InitiatingProcessCommandLine has_any ("date","timedatectl","localtime","/etc/localtime","readlink /etc/localtime","cat /etc/timezone","date +%Z","date +%Z%z")) or (ProcessCommandLine has_any ("date","timedatectl","localtime","/etc/localtime","readlink /etc/localtime","cat /etc/timezone","date +%Z","date +%Z%z")) | extend FullCmd = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, FullCmd, InitiatingProcessFileName, InitiatingProcessCreationTime, InitiatingProcessId, ProcessId | sort by TimeGenerated asc

DeviceProcessEvents | where ProcessCommandLine has_any ('date', 'timedatectl', 'hwclock', 'timezone') | join kind=inner ( DeviceInfo | where OSPlatform contains 'Linux' ) on DeviceId | project DeviceName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine | order by ProcessCreationTime desc | top 50 by ProcessCreationTime desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in ( DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId ) | where FileName in~ ("date","timedatectl","hwclock") or ProcessCommandLine has_any ("date","timedatectl","hwclock","/etc/timezone","/etc/localtime","tz") | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=leftsemi ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId ) on DeviceId | where FileName in~ ("date", "timedatectl") or ProcessCommandLine has_any ("date", "timedatectl", "time", "timezone", "tz") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | order by TimeGenerated desc

// ============================================================================ // Linux – commands that enumerate system time or timezone // Time range is injected by the workbook / hunting blade // ============================================================================ let TZ_Keywords = dynamic([ "/etc/timezone", // Debian/Ubuntu timezone file "/etc/localtime", // symlink to tz database "/usr/share/zoneinfo", // location of tz databases "/etc/sysconfig/clock", // RHEL/CentOS TZ config "/proc/driver/rtc" // kernel RTC interface ]); let DateWithOptions = @"\bdate(\s+[-+%]|$)"; // date followed by a switch or format string // --------------------------------------------------------------------------------- let LinuxDevices = DeviceInfo | where OSPlatform =~ "linux" | project DeviceId, DeviceName; DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (LinuxDevices) on DeviceId | extend cmd_l = tolower(ProcessCommandLine) // ----------- filters that indicate time / timezone enumeration --------------- | where FileName in~ ("timedatectl", "hwclock", "zdump") or cmd_l has_any (TZ_Keywords) or (FileName =~ "date" and cmd_l matches regex DateWithOptions) // ------------------------------------------------------------------------------ | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExecCount = count() by DeviceName, DeviceId, AccountName, FileName, ProcessCommandLine | order by LastSeen desc | project-reorder LastSeen, DeviceName, AccountName, FileName, ProcessCommandLine, ExecCount, FirstSeen

DeviceProcessEvents | where ProcessCommandLine has "date" or ProcessCommandLine has "timedatectl" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has_cs "date" or ProcessCommandLine has_cs "timedatectl" | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc