Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "dd" and ProcessCommandLine has "if=/proc/" and ProcessCommandLine has "/mem" | extend OutputFileName = extract(@"of=([^ ]+)", 1, ProcessCommandLine) | where isnotempty(OutputFileName) | project TimeGenerated, DeviceName, ProcessCommandLine, OutputFileName | order by TimeGenerated asc

DeviceProcessEvents | where ProcessCommandLine has 'dd' and ProcessCommandLine has '/proc/' and ProcessCommandLine has '/mem' | parse ProcessCommandLine with * 'of=' FileName ' ' * | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessId, FileName

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName == "dd" or ProcessCommandLine has "dd " | where ProcessCommandLine matches regex @"if=/proc/\d+/mem" | extend outputFile = extract(@"of=([^\s]+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, outputFile | where isnotempty(outputFile)

DeviceProcessEvents | where FileName in~ ("dd", "dd.exe") // Look for command with the input file i.e. if=/proc/PID/mem | where ProcessCommandLine has_all ("if=/proc", "/mem") // Project the output file after the 'of=' syntax in the command | extend DumpWrittenOnHostFile = trim(@"'", tostring(extract(@"of=([\w-\.:/\\]*?) ",1,ProcessCommandLine ))) | where isnotempty(DumpWrittenOnHostFile) | summarize any(*) by DumpWrittenOnHostFile | order by tostring(DumpWrittenOnHostFile) asc | take 50 // Project only the output file name in the memory dump file | project DumpWrittenOnHostFile //, * // Uncomment to show results and files dropped by each host // | extend HostName = tostring(split(DeviceName, '.') [0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))

DeviceProcessEvents | where ProcessCommandLine has "dd" and ProcessCommandLine matches regex @"/proc/[0-9]+/mem" | extend OutputFile = extract(@"of=([^\s]+)", 1, ProcessCommandLine) | where isnotempty(OutputFile) | summarize count() by OutputFile | order by count_ desc

DeviceProcessEvents | where ProcessCommandLine contains 'dd' and ProcessCommandLine contains '/proc/' and ProcessCommandLine contains 'mem' | project TimeGenerated, ProcessId, ProcessCommandLine | extend OutputFile=extract("of=([^ ]+)", 1, ProcessCommandLine) | where isnotempty(OutputFile)

DeviceProcessEvents | where ProcessCommandLine contains "dd" and ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "/mem" | project InitiatingProcessCommandLine, FileName

let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | where FileName =~ "dd" or ProcessCommandLine matches regex @"(?i)\bdd\b" | where ProcessCommandLine matches regex @"/proc/(?:\d+|self)/mem" // Extract of= argument (optionally double-quoted) | extend of_file = extract(@'(?i)\bof\s*=\s*"?([^ \t";|]+)"?', 1, ProcessCommandLine) // Extract shell redirection target (>, >>, 1>, etc.; optionally double-quoted) | extend redirect_file = extract(@'(?:^|\s)(?:\d?>|>>)\n\s*"?(/[^ \t";|]+)"?', 1, ProcessCommandLine) | extend DumpTargetPath = coalesce(of_file, redirect_file) | where isnotempty(DumpTargetPath) | extend DumpTargetFileName = tostring(split(DumpTargetPath, "/")[array_length(split(DumpTargetPath, "/")) - 1]) | project Time=ProcessCreationTime, DeviceName, AccountName, ProcessId, CommandLine=ProcessCommandLine, DumpTargetPath, DumpTargetFileName | order by Time desc

// Find dd processes that read from /proc/*/mem and capture destination file name let dd_procs = DeviceProcessEvents | where isnotempty(ProcessCommandLine) // Look for dd commands reading from /proc/<pid>/mem or /proc/*/mem and redirecting to a file | where ProcessCommandLine has 'dd' and (ProcessCommandLine has '/proc/' and ProcessCommandLine has 'mem') | extend dd_from = tostring(extract(@"(if=\s*[^\s]+|if=\S+)", 1, ProcessCommandLine)) | extend dd_to = tostring(extract(@"(of=\s*[^\s]+|of=\S+|>\s*\S+)", 1, ProcessCommandLine)) | extend dd_to = replace(@"^of=", "", dd_to) | extend dd_to = trim(" ", replace(@">", "", dd_to)) | extend dd_from = trim(" ", replace(@"if=", "", dd_from)) | extend proc_pid = tostring(extract(@"/proc/(\d+)/mem", 1, ProcessCommandLine)) | project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, dd_from, dd_to, proc_pid; // Also look in DeviceEvents and DeviceFileEvents for file creation/writes by processes named dd or with cmdline containing dd let file_writes = ( DeviceEvents | where isnotempty(InitiatingProcessFileName) or isnotempty(InitiatingProcessCommandLine) | where (InitiatingProcessFileName == 'dd' or InitiatingProcessCommandLine has ' dd ') or (FileName has '.' ) | where ActionType in ('FileCreated','FileWritten','FileModified','FileCreated') | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ) | union ( DeviceFileEvents | where isnotempty(InitiatingProcessFileName) or isnotempty(InitiatingProcessCommandLine) | where (InitiatingProcessFileName == 'dd' or InitiatingProcessCommandLine has ' dd ') or (FileName has '.' ) | where ActionType in ('FileCreated','FileWritten','FileModified') | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ); // Join dd processes to file writes by time and device and process id if available dd_procs | join kind=leftouter (file_writes) on DeviceName | where isempty(proc_pid) or proc_pid == tostring(InitiatingProcessId) or ProcessCommandLine has tostring(InitiatingProcessId) | project TimeGenerated=coalesce(TimeGenerated, TimeGenerated1), DeviceName, ProcessId, ProcessCommandLine, dd_from, dd_to, FileName, FolderPath, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine | summarize any(dd_to), any(FileName), any(FolderPath), any(InitiatingProcessCommandLine) by DeviceName, ProcessId, ProcessCommandLine, dd_from | extend DumpedFile = coalesce(any_dd_to, any_FileName, any_FolderPath) | project DeviceName, ProcessId, ProcessCommandLine, dd_from, DumpedFile | where isnotempty(DumpedFile) | distinct DeviceName, ProcessId, ProcessCommandLine, dd_from, DumpedFile | take 100

// Find dd processes reading from /proc/*/mem and determine output file let ddProcs = union ( DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has "dd" and ProcessCommandLine has "/proc/" and ProcessCommandLine has "mem" | extend Time = coalesce(ProcessCreationTime, TimeGenerated) | project Time, DeviceName, DeviceId, ProcessId, ProcessCommandLine, ProcessFileName = FileName ), ( DeviceEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has "dd" and ProcessCommandLine has "/proc/" and ProcessCommandLine has "mem" | extend Time = coalesce(ProcessCreationTime, TimeGenerated) | project Time, DeviceName, DeviceId, ProcessId, ProcessCommandLine, ProcessFileName = FileName ); let files = DeviceFileEvents | where isnotempty(FileName) | project FileTime = TimeGenerated, DeviceName, DeviceId, InitiatingProcessId, FileName, FolderPath, ActionType; ddProcs | extend of_param = extract(@"\bof=([^\s]+)", 1, ProcessCommandLine) | extend redirect_param = extract(@">\s*([^\s]+)", 1, ProcessCommandLine) | extend OutFile = coalesce(of_param, redirect_param) | join kind=leftouter ( files ) on DeviceId, $left.ProcessId == $right.InitiatingProcessId | extend FileMatchedTimeWindow = iff(FileTime >= Time - 1m and FileTime <= Time + 5m, true, false) | where isnotempty(OutFile) or FileMatchedTimeWindow == true | project Time, DeviceName, ProcessId, ProcessFileName, ProcessCommandLine, OutFile, MatchedFile = FileName, FolderPath, FileTime, ActionType | order by Time desc

DeviceProcessEvents | extend CommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | where TimeGenerated between (ago(1d) .. now()) | where tolower(CommandLine) contains "dd" and tolower(CommandLine) contains "/proc/" and tolower(CommandLine) contains "/mem" | extend OutputFile = extract(@"(?i)of=([^\s]+)", 1, CommandLine) | where isnotempty(OutputFile) | project TimeGenerated, DeviceName, InitiatingProcessId, ProcessId, CommandLine, OutputFile | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "dd" and ProcessCommandLine has "/proc/" and ProcessCommandLine has "mem" | extend OutputFile = tostring(extract(@"of=([^\s]+)", 1, ProcessCommandLine)) | where isnotempty(OutputFile) | project TimeGenerated, DeviceName, ProcessCommandLine, OutputFile | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "dd" | where ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "mem" | extend OutputFile = extract("of=([^\\s]+)", 1, ProcessCommandLine) | project Timestamp, DeviceName, ProcessCommandLine, OutputFile, AccountName, InitiatingProcessFileName | order by Timestamp desc

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where FileName == "dd" | where ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "mem" | extend OutputFile = extract(@"of=([^ ]+)", 1, ProcessCommandLine) | project Timestamp, ProcessCommandLine, OutputFile | summarize arg_max(Timestamp, *) by OutputFile

DeviceProcessEvents | where ActionType in ("CreateProcess", "ProcessCreated") | project TimeGenerated, DeviceId, DeviceName, ProcessCommandLine // Join with DeviceInfo to ensure we only look at Linux systems | join kind=inner ( DeviceInfo | project DeviceId, OSPlatform ) on DeviceId | where OSPlatform == "Linux" | where ProcessCommandLine has "dd " and ProcessCommandLine has "if=/proc/" and ProcessCommandLine has "/mem" and ProcessCommandLine has " of=" | parse kind=regex ProcessCommandLine with * "if=" Source " of=" DumpFile " " * | project TimeGenerated, DeviceName, Source, DumpFile | order by TimeGenerated desc

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where ActionType == "ProcessCreated" | where FileName =~ "dd" | where ProcessCommandLine has "if=/proc/" and ProcessCommandLine has "/mem" | extend DumpedFile = extract(@"of=([^\s]+)",1,ProcessCommandLine) | where isnotempty(DumpedFile) | project TimeGenerated, DeviceName, ProcessCommandLine, DumpedFile | order by TimeGenerated desc

let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | summarize by DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where FileName =~ "dd" | where ProcessCommandLine has "/proc/" and ProcessCommandLine has "/mem" // Pull out the destination file (first match wins) | extend DumpFilePath = coalesce( extract(@"of=([^\s]+)", 1, ProcessCommandLine), // dd if=... of=/tmp/dump extract(@">>\s*([^\s]+)", 1, ProcessCommandLine), // dd if=... >> /tmp/dump extract(@">\s*([^\s]+)", 1, ProcessCommandLine) // dd if=... > /tmp/dump ) | where isnotempty(DumpFilePath) | extend DumpFileName = tostring(split(DumpFilePath, "/")[-1]) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, DumpFilePath, DumpFileName | sort by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "dd" | where InitiatingProcessCommandLine has "if=/proc/" and InitiatingProcessCommandLine has "mem" | extend dump_file = extract(@"of=(\S+)", 1, InitiatingProcessCommandLine) | where isnotempty(dump_file) | project TimeGenerated, InitiatingProcessCommandLine, dump_file

DeviceProcessEvents | where ProcessCommandLine has "dd" | where ProcessCommandLine has "if=/proc/" and ProcessCommandLine has "mem" | extend DumpFile = extract(@"of=([^ \t]+)", 1, ProcessCommandLine) | where isnotempty(DumpFile) | project TimeGenerated, ProcessCommandLine, DumpFile | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "dd" and ProcessCommandLine has "if=/proc/" | extend DumpFile = extract(@"of=(\S+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessCommandLine, DumpFile