Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "awk" | where ProcessCommandLine contains "BEGIN" | where ProcessCommandLine contains "system(" | where ProcessCommandLine contains "sh" or ProcessCommandLine contains "bash" | project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine contains "awk" and ProcessCommandLine contains "BEGIN" | project ProcessCommandLine

DeviceProcessEvents | where ActionType == 'ProcessCreated' | where (InitiatingProcessCommandLine contains 'awk' and InitiatingProcessCommandLine has 'BEGIN') | where (InitiatingProcessCommandLine contains '/bin/bash' or InitiatingProcessCommandLine contains '/bin/sh') | extend shellCommand = case(InitiatingProcessCommandLine contains '/bin/bash', '/bin/bash', InitiatingProcessCommandLine contains '/bin/sh', '/bin/sh', '') | project DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated, shellCommand | where shellCommand != ''

DeviceProcessEvents | where InitiatingProcessCommandLine has "awk" and InitiatingProcessCommandLine matches regex @"BEGIN.*sh" | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessCommandLine

let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | summarize by DeviceId; DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linuxDevices) // awk variants and busybox awk | where FileName in~ ("awk","gawk","mawk","nawk") or (FileName =~ "busybox" and ProcessCommandLine has " awk") // BEGIN rule + shell execution indicators | where ProcessCommandLine has "BEGIN" and ( // system() used to launch a shell (ProcessCommandLine has "system(" and ProcessCommandLine has_any ("/bin/sh","/bin/bash","/bin/dash","/bin/ash","/bin/ksh","/bin/zsh"," sh"," bash"," dash"," ash"," ksh"," zsh")) // or piping to a shell command or ProcessCommandLine has_any ("| /bin/sh","| '/bin/sh","| \"/bin/sh","| /bin/bash","| '/bin/bash","| \"/bin/bash") ) | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, DeviceId | order by TimeGenerated desc

// Find Linux process creations where awk uses a BEGIN rule to launch a shell // Search both DeviceProcessEvents and DeviceEvents (some environments populate either table) let src = union DeviceProcessEvents, DeviceEvents; src | where isnotempty(ProcessCommandLine) // Narrow to commands that call awk and include a BEGIN clause | where tolower(ProcessCommandLine) contains "awk" and tolower(ProcessCommandLine) contains "begin" // Look for common indicators of launching a shell from awk: system/exec, explicit /bin/sh or /bin/bash, piping to a shell, getline usage | where ( tolower(ProcessCommandLine) contains "system" or tolower(ProcessCommandLine) contains "exec(" or tolower(ProcessCommandLine) contains "/bin/sh" or tolower(ProcessCommandLine) contains "/bin/bash" or tolower(ProcessCommandLine) contains "|/bin" or tolower(ProcessCommandLine) contains "getline" ) // Also include entries that match a broader regex for patterns like: awk 'BEGIN{system("/bin/sh")}' or ProcessCommandLine matches regex "(?i)\\bawk\\b.*BEGIN.*system\\s*\\(" | project TimeGenerated, DeviceName, DeviceId, AccountName, ProcessId, ProcessCreationTime, FileName, CommandLine=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | distinct TimeGenerated, DeviceName, DeviceId, AccountName, ProcessId, ProcessCreationTime, FileName, CommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | take 100

// Search DeviceProcessEvents and DeviceEvents for awk BEGIN blocks that launch a shell let src = union DeviceProcessEvents, DeviceEvents; src | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // Focus on records that reference awk | where ProcessCommandLine has "awk" or FileName has_cs "awk" // Reduce noise by requiring a BEGIN block and evidence of shell invocation or functions that can spawn shells | where ProcessCommandLine has "BEGIN" | where ProcessCommandLine has_any ("system(", "popen(", "exec(", "/bin/sh", "/bin/bash", "/bin/dash", "/usr/bin/sh", "/usr/bin/bash", "/usr/bin/dash") // Keep the full command and extract the BEGIN{...} block if present | extend Command = tostring(ProcessCommandLine) | extend AwkBeginBlock = extract("(BEGIN\\s*\\{[^}]*\\})", 1, Command) | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCreationTime, Command, AwkBeginBlock, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, RawEvent = pack_all() | order by TimeGenerated desc | take 500

union DeviceProcessEvents, DeviceEvents | extend cmd = tostring(ProcessCommandLine) | where isnotempty(cmd) | extend lcmd = tolower(cmd) // Look for awk invoking a shell in a BEGIN rule: require awk, begin, system(, and a shell name | where lcmd contains "awk" and lcmd contains "begin" and lcmd contains "system(" and (lcmd contains "sh" or lcmd contains "bash" or lcmd contains "/bin/sh") | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine = cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, TenantId | order by TimeGenerated desc | take 100

DeviceProcessEvents | where (InitiatingProcessFileName endswith "awk" or InitiatingProcessCommandLine contains "awk") | where InitiatingProcessCommandLine contains "BEGIN" | where InitiatingProcessCommandLine contains "system(" | extend ShellArg = extract(@"system\(\s*([^\)]+)\s*\)", 1, InitiatingProcessCommandLine) | where isnotempty(ShellArg) | where ShellArg contains "/bin/sh" or ShellArg contains "/bin/bash" | join kind=inner ( DeviceInfo | where OSPlatform contains "Linux" or OSDistribution contains "Linux" | project DeviceId, DeviceName, OSPlatform, OSDistribution ) on DeviceId | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ShellArg, ProcessId, InitiatingProcessId, OSPlatform, OSDistribution | sort by TimeGenerated desc

DeviceProcessEvents | where FileName contains 'awk' | where ProcessCommandLine has 'BEGIN' and ProcessCommandLine has_any ('sh', 'bash', 'shell') | project DeviceName, ProcessCreationTime, ProcessCommandLine, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine | order by ProcessCreationTime desc

DeviceProcessEvents | join kind=inner (DeviceInfo | where OSPlatform == "Linux" | project DeviceId, OSPlatform) on DeviceId | where ProcessCommandLine contains "awk" and ProcessCommandLine contains "BEGIN" and (ProcessCommandLine contains "system" and ProcessCommandLine contains "/bin/sh") | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform =~ "Linux" ) on DeviceId | where ActionType == "ProcessCreated" | where FileName endswith "awk" // or FileName has "awk" if you suspect a path | where ProcessCommandLine has_all ("BEGIN", "system(") | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=innerunique ( DeviceInfo | where OSPlatform == "Linux" ) on DeviceId | where FileName == "awk" or ProcessCommandLine has "awk" | where ProcessCommandLine has "BEGIN" | where ProcessCommandLine has_any ("sh", "bash") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

// Suspicious use of awk BEGIN rule to spawn a shell on Linux let shell_rx = @"BEGIN[^{]*\{[^}]*((/bin/)?(sh|bash|zsh|ksh)|\b(sh|bash|zsh|ksh)\b)"; // case-insensitive by default DeviceProcessEvents | where FileName =~ "awk" or ProcessCommandLine contains "awk " | where ProcessCommandLine contains "BEGIN" // quick pre-filter | join kind=inner ( DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId ) on DeviceId | where ProcessCommandLine matches regex shell_rx | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, DeviceId | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "awk" and ProcessCommandLine contains "BEGIN" | where ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "sh -" | project TimeGenerated, DeviceName, ProcessCommandLine, ProcessId | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "awk" | where ProcessCommandLine has "BEGIN" | where ProcessCommandLine has_any ("/bin/sh", "/bin/bash") | project TimeGenerated, DeviceName, ProcessCommandLine

let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) // Filter to awk executions | where FileName =~ "awk" or FileName endswith "awk" // Look for BEGIN block invoking a shell via system(...) | where ProcessCommandLine matches regex @"\bawk\b.*\bBEGIN\s*\{[^}]*system\s*\(" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc

let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | where tolower(ProcessCommandLine) has "awk" // look for BEGIN rule and system call launching a shell | where tolower(ProcessCommandLine) has "begin" and tolower(ProcessCommandLine) has "system(\"/bin/sh" | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine | sort by TimeGenerated desc