Question Analysis

let threshold = 10; // Minimum count value we consider 'large' let PingProcs = DeviceProcessEvents | where FileName == "ping" | extend CountVal = toint(extract("-c +([0-9]+)", 1, ProcessCommandLine)) | where isnotnull(CountVal) and CountVal >= threshold | project DeviceId, DeviceName, AccountName, AccountDomain, SessionId=CreatedProcessSessionId, PingProcessId=ProcessId, PingCommand=ProcessCommandLine, PingStart=ProcessCreationTime, PingCount=CountVal, PingEnd=ProcessCreationTime + 1s * CountVal; DeviceProcessEvents | where ProcessCreationTime > ago(30d) // Remove or adapt timerange as needed | project DeviceId, DeviceName, AccountName, AccountDomain, ProcessId, ProcessCommandLine, ProcessCreationTime, SessionId=CreatedProcessSessionId | join kind=inner ( PingProcs ) on DeviceId, DeviceName, AccountName, AccountDomain, SessionId | where ProcessCreationTime > PingEnd and ProcessCreationTime < PingEnd + 2m // Next process soon after ping | extend dt = ProcessCreationTime - PingEnd | summarize NextProcessTime=min(ProcessCreationTime) by DeviceName, AccountName, SessionId, PingProcessId, PingCommand, PingStart, PingEnd, PingCount, DeviceId, AccountDomain | join kind=inner ( DeviceProcessEvents | project DeviceId, DeviceName, AccountName, CreatedProcessSessionId, ProcessCreationTime, ProcessCommandLine, ProcessId ) on $left.DeviceId == $right.DeviceId and $left.DeviceName == $right.DeviceName and $left.AccountName == $right.AccountName and $left.SessionId == $right.CreatedProcessSessionId and $left.NextProcessTime == $right.ProcessCreationTime | project DeviceName, AccountName, PingCommand, PingStart, PingEnd, PingCount, NextCommand=ProcessCommandLine, NextStart=ProcessCreationTime | sort by PingEnd asc

DeviceProcessEvents | where InitiatingProcessCommandLine contains "ping" and InitiatingProcessCommandLine matches regex @"\-c \d{2,}" | project InitiatingProcessCommandLine, ProcessCommandLine, ProcessCreationTime | sort by ProcessCreationTime asc | extend SubsequentProcess = next(ProcessCommandLine)

let count_threshold = 30; // minimum -c value to consider a 'large' delay let tolerance = 2s; // small clock/timing tolerance let linux_device_ids = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId; // Identify ping processes used as a delay and estimate their expected duration let ping_candidates = DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linux_device_ids) | where FileName in~ ("ping","ping6") or ProcessCommandLine matches regex @"(?i)(^|[\s/])ping6?\s" | extend PingCount = toint(extract(@"(?i)(?:^|\s)-c\s*([0-9]+)", 1, ProcessCommandLine)) | where isnotnull(PingCount) and PingCount >= count_threshold | extend PingIntervalRaw = todouble(extract(@"(?i)(?:^|\s)-i\s*([0-9]*\.?[0-9]+)", 1, ProcessCommandLine)) | extend IntervalEffSec = iif(isnull(PingIntervalRaw) or PingIntervalRaw < 1.0, 1.0, PingIntervalRaw) | extend ExpectedDelaySec = tolong(ceiling(PingCount * IntervalEffSec)) | extend ExpectedDelay = ExpectedDelaySec * 1s | extend CommandAfterPing = trim(" '\"", extract(@"(?i)ping\b[^;&|]*?(?:;|&&)\s*([^;&|]+)", 1, InitiatingProcessCommandLine)) | project DeviceId, DeviceName, PingProcTime=ProcessCreationTime, PingPID=ProcessId, PingCmd=ProcessCommandLine, PingCount, IntervalEffSec, ExpectedDelay, ReadyAfter=ProcessCreationTime + ExpectedDelay, ShellParentId=InitiatingProcessId, ShellParentName=InitiatingProcessFileName, ShellParentCmd=InitiatingProcessCommandLine, CommandAfterPing; // All subsequent processes created by the same parent shell let next_procs = DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linux_device_ids) | project DeviceId, InitiatingProcessId, NextProcTime=ProcessCreationTime, NextProcId=ProcessId, NextProcName=FileName, NextProcCmd=ProcessCommandLine; // For each ping delay, find the earliest sibling process that starts at/after the expected delay let next_after_delay = ping_candidates | join kind=leftouter next_procs on DeviceId, $left.ShellParentId == $right.InitiatingProcessId | where NextProcTime >= ReadyAfter - tolerance | where NextProcName !in~ ("ping","ping6") | summarize arg_min(NextProcTime, *) by DeviceId, ShellParentId, PingPID, PingProcTime; // Final output with the command executed immediately after the ping delay ping_candidates | join kind=leftouter next_after_delay on DeviceId, ShellParentId, PingPID, PingProcTime | extend ImmediatelyAfterPing_Command = coalesce(NextProcCmd, CommandAfterPing) | where isnotempty(ImmediatelyAfterPing_Command) | project PingProcTime, DeviceName, PingCmd, PingCount, Interval=toint(IntervalEffSec), ExpectedDelay, ShellParentName, ShellParentCmd, NextProcTime, NextProcName, NextProcId, ImmediatelyAfterPing_Command | order by PingProcTime desc

let PingCountThreshold = 60; // counts >= this considered a large delay let TimeWindow = 10m; // window after ping to look for the next process DeviceProcessEvents | where ProcessCommandLine has "ping" // narrow to likely Linux hosts (device name contains linux or process/file name indicates ping) | where tolower(DeviceName) contains "linux" or InitiatingProcessFileName endswith "ping" or InitiatingProcessFileName endswith "/ping" or FileName endswith "ping" | extend ping_args = ProcessCommandLine // extract common count options and a fallback trailing numeric token | extend c = toint(extract(@"-c\s*=?\s*(\d+)", 1, ping_args)), w = toint(extract(@"-w\s*=?\s*(\d+)", 1, ping_args)), longform = toint(extract(@"--count\s*=?\s*(\d+)", 1, ping_args)), trailing = toint(extract(@"ping\s+\S+\s+(\d+)", 1, ping_args)) | extend ping_count = coalesce(c, w, longform, trailing, 0) | where ping_count >= PingCountThreshold | project PingTimestamp = Timestamp, DeviceId, DeviceName, PingProcessId = ProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, PingCommand = ProcessCommandLine, ping_count // find subsequent processes on the same device within the configured time window | join kind=inner ( DeviceProcessEvents | project NextTimestamp = Timestamp, DeviceId2 = DeviceId, NextProcessId = ProcessId, NextCommand = ProcessCommandLine, NextFileName = FileName, NextInitiatingProcessAccountName = InitiatingProcessAccountName, NextInitiatingProcessAccountDomain = InitiatingProcessAccountDomain ) on $left.DeviceId == $right.DeviceId2 | where NextTimestamp > PingTimestamp and NextTimestamp <= PingTimestamp + TimeWindow | where isnotempty(NextCommand) // choose earliest subsequent process after the ping | summarize arg_min(NextTimestamp, NextTimestamp, NextCommand, NextProcessId, NextFileName) by PingTimestamp, DeviceId, DeviceName, PingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, PingCommand, ping_count | project DeviceName, DeviceId, User = InitiatingProcessAccountName, UserDomain = InitiatingProcessAccountDomain, PingTimestamp, ping_count, PingCommand, NextTimestamp, NextCommand, NextFileName, NextProcessId | order by PingTimestamp desc

DeviceProcessEvents | where ProcessCommandLine contains "ping" and ProcessCommandLine contains "-c" | where ProcessCommandLine matches regex "-c\\s*([1-9][0-9]|[0-9]{3,})" | project DeviceName, PingProcessId=ProcessId, PingCommandLine=ProcessCommandLine, PingCreationTime=ProcessCreationTime, SessionId=CreatedProcessSessionId | join kind=inner ( DeviceProcessEvents | project DeviceName, SubsequentProcessId=ProcessId, SubsequentCommandLine=ProcessCommandLine, SubsequentCreationTime=ProcessCreationTime, SessionId=CreatedProcessSessionId ) on DeviceName, SessionId | where SubsequentCreationTime > PingCreationTime | summarize arg_min(SubsequentCreationTime, SubsequentCommandLine, SubsequentProcessId) by DeviceName, PingProcessId, PingCommandLine, PingCreationTime | project DeviceName, PingCommandLine, SubsequentCommandLine, PingCreationTime, SubsequentCreationTime

let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where InitiatingProcessCommandLine contains "ping" and InitiatingProcessCommandLine matches regex @"-c\s+\d+" | extend countValue = extract(@"-c\s+(\d+)", 1, InitiatingProcessCommandLine, typeof(long)) | where countValue > 10 | project DeviceId, Timestamp, InitiatingProcessCommandLine, ProcessCommandLine | summarize arg_max(Timestamp, *) by DeviceId, InitiatingProcessCommandLine, ProcessCommandLine | project-away Timestamp

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; // Identify ping processes on Linux endpoints with a large -c value let PingProcesses = DeviceProcessEvents | where DeviceId in (LinuxDevices) | where ActionType == "ProcessCreated" | where FileName =~ "ping" or ProcessCommandLine contains "ping" | parse kind=regex flags=U ProcessCommandLine with * "-c " Count:int " " | where isnotnull(Count) and Count > 50 | project DeviceId, PingParentProcessId = InitiatingProcessId, PingStartTime = ProcessCreationTime, LargeCount = Count; // Find the next process launched by the same parent after the ping start time DeviceProcessEvents | where DeviceId in (LinuxDevices) | where ActionType == "ProcessCreated" | join kind=inner PingProcesses on DeviceId | where InitiatingProcessId == PingParentProcessId | where ProcessCreationTime > PingStartTime | summarize arg_min(ProcessCreationTime, *) by DeviceId, PingParentProcessId, PingStartTime | project DeviceName, NextProcessCreationTime = ProcessCreationTime, NextCommand = ProcessCommandLine, LargeCount

DeviceProcessEvents | join hint.strategy=broadcast kind=inner ( DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId ) on DeviceId | where FileName == "ping" | extend CountValue = toint(extract(@"-c\s+(\d+)", 1, ProcessCommandLine)) | where isnotnull(CountValue) and CountValue > 100 | order by DeviceId asc, ProcessCreationTime asc | serialize | extend NextDeviceId = next(DeviceId), NextProcessCommandLine_raw = next(ProcessCommandLine), NextProcessCreationTime_raw = next(ProcessCreationTime) | extend NextProcessCommandLine = iif(NextDeviceId == DeviceId, NextProcessCommandLine_raw, ""), NextProcessCreationTime = iif(NextDeviceId == DeviceId, NextProcessCreationTime_raw, datetime(1970-01-01)) | project DeviceName, PingProcessCommandLine = ProcessCommandLine, PingProcessCreationTime = ProcessCreationTime, NextProcessCommandLine, NextProcessCreationTime

// Detect use of the Linux ping utility as a sleep primitive (high “-c” value) // and show the very next process that was launched from the same shell/session // ----------------------------------------------------------------------------- // Tuning parameters let pingCountThreshold = 50; // “-c” value we still regard as a delay (>≈50 s) let lookAheadWindow = 10m; // Search window for the follow-up process // ----------------------------------------------------------------------------- // 1. Limit the hunt to Linux devices (Defender ATP covers several OSs) let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; // 2. Ping invocations that look like a delay (high -c argument) let PingDelay = DeviceProcessEvents | where DeviceId in (LinuxDevices) | where tolower(FileName) in ("ping", "ping4", "ping6") | extend CountValue = toint(extract(@"-c\s+([0-9]+)", 1, tostring(ProcessCommandLine))) | where isnotnull(CountValue) and CountValue >= pingCountThreshold | project DeviceId, DeviceName, PingStartTime = TimeGenerated, PingProcessId = ProcessId, ShellParentId = InitiatingProcessParentId, SessionId = CreatedProcessSessionId, PingCmd = ProcessCommandLine, CountValue; // 3. Every other process start we might consider as the follow-up command let AllProcs = DeviceProcessEvents | project DeviceId, NextTime = TimeGenerated, NextProcessId = ProcessId, NextParentId = InitiatingProcessParentId, NextSessionId = CreatedProcessSessionId, NextFileName = FileName, NextCmd = ProcessCommandLine; // 4. Join & pick the *first* process that appears after the ping delay PingDelay | join kind=inner (AllProcs) on DeviceId | where NextTime > PingStartTime | where NextTime <= PingStartTime + lookAheadWindow // same shell (parent PID) OR same session – helps bind the two events | where NextParentId == ShellParentId or NextSessionId == SessionId | summarize arg_min(NextTime, NextCmd, NextFileName, NextProcessId) by DeviceId, DeviceName, PingStartTime, PingCmd, CountValue | project DeviceName, PingStartTime, PingCmd, CountValue, NextProcessTime = NextTime, NextFileName, NextCmd | order by PingStartTime desc

// Identify ping executions on Linux hosts that use a high count as a delay mechanism // (Assuming ping command includes '-c <number>' and we use a threshold of 50 counts). let PingEvents = DeviceProcessEvents // Filter events where the command contains 'ping' and '-c' | where ProcessCommandLine has "ping" and ProcessCommandLine has "-c" // Extract the count value provided in '-c <number>' using regex; if extraction fails, toint returns 0 | extend Count = toint(extract(@'-c\s+(\d+)', 1, ProcessCommandLine)) // Filter to events with a large count value (threshold here set to 50; adjust as needed) | where Count >= 50 | project DeviceId, PingProcessId = ProcessId, PingTime = ProcessCreationTime, ParentProcId = InitiatingProcessParentId, PingCmd = ProcessCommandLine; // Get all process execution events with their parent process id let AllProcesses = DeviceProcessEvents | project DeviceId, ProcId = ProcessId, ProcessTime = ProcessCreationTime, CommandLine = ProcessCommandLine, ParentProcId = InitiatingProcessParentId; // For each ping event, find the next process executed by the same parent process PingEvents | join kind=inner (AllProcesses) on DeviceId, ParentProcId // ensure the candidate process event happened after the ping event | where ProcessTime > PingTime // For each ping event, pick the process event with the minimum ProcessTime (i.e. the one immediately after) | summarize NextProcessTime = min(ProcessTime) by DeviceId, PingProcessId, PingTime, ParentProcId, PingCmd // join back to get details of the process that occurred immediately after the ping | join kind=inner (AllProcesses) on DeviceId, ParentProcId | where ProcessTime == NextProcessTime | project DeviceId, PingTime, PingCmd, NextProcessTime, NextProcId = ProcId, NextCommand = CommandLine, ParentProcId | order by PingTime desc

let pingEvents = DeviceProcessEvents | where ProcessCommandLine has "ping" // extract the count value passed to ping (e.g. 'ping -c 100') | extend PingCount = toint(extract(@"-c\s+(\d+)", 1, ProcessCommandLine)) | where isnotempty(PingCount) and PingCount >= 100 | project DeviceId, PingTime = ProcessCreationTime, PingProcessId = ProcessId, PingCommandLine = ProcessCommandLine; let nextProcesses = DeviceProcessEvents | project DeviceId, ProcessCreationTime, NextProcessCommandLine = ProcessCommandLine; // For each ping event, join with subsequent process events on the same device and select the earliest event that occurred after the ping pingEvents | join kind=inner (nextProcesses) on DeviceId | where ProcessCreationTime > PingTime | summarize NextProcessTime = min(ProcessCreationTime) by DeviceId, PingTime, PingProcessId, PingCommandLine | join kind=inner (nextProcesses) on DeviceId | where ProcessCreationTime == NextProcessTime | project DeviceId, PingTime, PingProcessId, PingCommandLine, NextProcessTime, NextProcessCommandLine