Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "iptables-save" // Look for redirection > or >> followed by a filename/path | where ProcessCommandLine matches regex @'.*iptables-save\s*>+\s*([^ ]+)' | extend OutputFileName = extract(@'.*iptables-save\s*>+\s*([^ ]+)', 1, ProcessCommandLine) | where isnotempty(OutputFileName) | project Timestamp, DeviceName, AccountName, ProcessCommandLine, OutputFileName

DeviceProcessEvents | where ProcessCommandLine has "iptables-save >" | extend SavedFileName = extract(@"iptables-save\s*>\s*([^\s]+)", 1, ProcessCommandLine) | where isnotempty(SavedFileName) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, SavedFileName | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "iptables-save" or ProcessCommandLine contains "iptables" | project FileName, ProcessCommandLine, TimeGenerated

let linuxDevices = DeviceInfo | where OSPlatform =~ 'Linux' | project DeviceId, DeviceName; DeviceProcessEvents | where ActionType == 'ProcessCreated' | where ProcessCommandLine has_any ('iptables-save','ip6tables-save') | join kind=inner (linuxDevices) on DeviceId | extend cmd = tostring(ProcessCommandLine) // Capture path after '>' or after 'tee [options]' | extend SavedPath = coalesce( extract(@'>\s*(?:"([^"]+)"|''([^'']+)''|([^\s;|&]+))', 1, cmd), extract(@'>\s*(?:"([^"]+)"|''([^'']+)''|([^\s;|&]+))', 2, cmd), extract(@'>\s*(?:"([^"]+)"|''([^'']+)''|([^\s;|&]+))', 3, cmd), extract(@'\btee\b\s+(?:-[a-zA-Z]+\s+)*(?:"([^"]+)"|''([^'']+)''|([^\s;|&]+))', 1, cmd), extract(@'\btee\b\s+(?:-[a-zA-Z]+\s+)*(?:"([^"]+)"|''([^'']+)''|([^\s;|&]+))', 2, cmd), extract(@'\btee\b\s+(?:-[a-zA-Z]+\s+)*(?:"([^"]+)"|''([^'']+)''|([^\s;|&]+))', 3, cmd) ) | where isnotempty(SavedPath) | extend path_parts = split(SavedPath, '/') | extend SavedFileName = tostring(path_parts[array_length(path_parts)-1]) | project TimeGenerated, DeviceName, AccountName, SavedPath, SavedFileName, ProcessCommandLine | order by TimeGenerated asc

union DeviceProcessEvents, DeviceEvents | where isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) contains "iptables-save" // Extract filename after redirection (>) | extend redirectFile = extract(@">\s*([^\s;|]+)", 1, ProcessCommandLine) // Extract filename after a tee command | extend teeFile = extract(@"\btee\s+([^\s;|]+)", 1, ProcessCommandLine) // Choose the redirect result first, otherwise tee result | extend rawSavedFile = iff(isnotempty(redirectFile), redirectFile, teeFile) // Trim surrounding quotes and whitespace | extend savedFile = trim(" '\"", rawSavedFile) | where isnotempty(savedFile) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, savedFile | summarize hits = count(), firstSeen = min(TimeGenerated), lastSeen = max(TimeGenerated) by savedFile, DeviceName | order by hits desc, lastSeen desc

// Find processes that invoked iptables-save redirecting output to a file and subsequent flush let ipt_save_re = @"iptables-save\s*(?:>|>>)\s*(\S+)"; let ipt_flush_re = @"\biptables\b.*\b(-F|--flush)\b"; // Look for commands containing iptables-save redirection in DeviceProcessEvents DeviceProcessEvents | where ProcessCommandLine matches regex ipt_save_re | extend SavedFile = extract(ipt_save_re, 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessId, InitiatingProcessAccountName, ProcessCommandLine, SavedFile | union ( // Also check DeviceEvents which might contain ProcessCommandLine and FileName DeviceEvents | where ProcessCommandLine matches regex ipt_save_re or ProcessCommandLine matches regex ipt_flush_re | extend SavedFile = extract(ipt_save_re, 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessId, InitiatingProcessAccountName, ProcessCommandLine, SavedFile ) | order by TimeGenerated asc | extend SavedFile = iff(isnull(SavedFile) or SavedFile == "", "(none)", SavedFile) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Commands=make_set(ProcessCommandLine, 20), Devices=make_set(DeviceName), Users=make_set(InitiatingProcessAccountName) by SavedFile | project SavedFile, FirstSeen, LastSeen, Devices, Users, Commands | where SavedFile != "(none)" | take 100

// Search DeviceProcessEvents for iptables-save and iptables flush commands and extract potential backup filenames let proc_matches = DeviceProcessEvents | where ProcessCommandLine has "iptables" // exclude irrelevant windows binaries where the same term might appear | where isnull(ProcessCommandLine) == false | extend cmd = tostring(ProcessCommandLine) // look for iptables-save usage (redirect '> filename' or '-f filename') or iptables -S > file | where cmd matches regex @"(?i)iptables-save|iptables\s+-S|iptables\s+--list-rules|iptables\s+-L|iptables\s+--flush|iptables\s+-F" | extend possible_out = extract(@">\s*([^\s;]+)", 1, cmd) | extend possible_out2 = extract(@"-(?:f|file)\s+([^\s;]+)", 1, cmd) | extend candidate_file = coalesce(possible_out, possible_out2) | project DeviceName, TimeGenerated, ProcessId, InitiatingProcessAccountName, FileName, cmd, candidate_file, InitiatingProcessFileName, InitiatingProcessId; // Search DeviceEvents for file write/create events referencing iptables or rules let file_matches = DeviceEvents | where ActionType has_any ("FileCreated", "FileCreatedByProcess", "FileModified", "FileWrite", "FileCopied", "FileSaved") or ActionType has "File" | where isnotempty(FileName) or isnotempty(AdditionalFields) | extend fname = coalesce(FileName, tostring(AdditionalFields["FileName"]), tostring(AdditionalFields["TargetFileName"])) | where fname has_any ("iptables", "iptables.rules", "rules.v4", "rules.v6", "rules") | project DeviceName, TimeGenerated, ActionType, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, fname; // Combine and show distinct candidate filenames with context proc_matches | union (file_matches | extend ProcessId = long(0), ProcessIdStr = "", cmd = InitiatingProcessCommandLine, candidate_file = fname) | extend candidate_file = tostring(candidate_file) | where isnotempty(candidate_file) | summarize count() , min(TimeGenerated), max(TimeGenerated), any(cmd), any(DeviceName), any(InitiatingProcessAccountName), any(InitiatingProcessFileName) by candidate_file | project candidate_file, Count = count_, FirstSeen = min_TimeGenerated, LastSeen = max_TimeGenerated, ExampleCommand = any_cmd, Device = any_DeviceName, Account = any_InitiatingProcessAccountName, InitiatingProcess = any_InitiatingProcessFileName | order by FirstSeen asc | take 50

DeviceProcessEvents | where ProcessCommandLine contains "iptables-save" or InitiatingProcessFileName contains "iptables-save" | join kind=inner (DeviceInfo | where OSPlatform contains "Linux" | project DeviceId, DeviceName, OSPlatform) on DeviceId | extend RedirectPath = extract(@"(?i)[>]{1,2}\s*([^ \t]+)", 1, ProcessCommandLine) | where isnotempty(RedirectPath) | extend BackupFileName = extract(@"[^/]+$", 1, RedirectPath) | project TimeGenerated, DeviceName, OSPlatform, ProcessCommandLine, RedirectPath, BackupFileName

DeviceProcessEvents | where ((isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) contains "iptables-save") or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) contains "iptables-save")) | extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | extend BackupFilePath = iif(tolower(CmdLine) contains "iptables-save > ", extract(@"iptables-save\s*>\s*(\S+)", 1, CmdLine), extract(@"iptables-save\s*>>\s*(\S+)", 1, CmdLine)) | where isnotempty(BackupFilePath) | extend BackupFileName = extract(@"([^/]+)$", 1, BackupFilePath) | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, BackupFilePath, BackupFileName | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where ProcessCommandLine contains "iptables-save" | extend BackupFileName = extract("[>\\s]+([^>\\s]+)", 1, ProcessCommandLine) | where isnotempty(BackupFileName) | project DeviceName, ProcessCommandLine, BackupFileName, Timestamp | order by Timestamp desc

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where ProcessCommandLine contains "iptables-save" and ProcessCommandLine contains ">" | extend Filename = extract(@"iptables-save.*>\s*(.*)", 1, ProcessCommandLine) | project Filename | distinct Filename | order by Filename asc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "iptables-save" | extend BackupFilename = extract(@">\s*([^\s]+)", 1, ProcessCommandLine) | where isnotempty(BackupFilename) | project TimeGenerated, DeviceName, ProcessCommandLine, BackupFilename | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "iptables-save" | extend backupFile = extract(@"iptables-save.*>\s*(\S+)", 1, ProcessCommandLine) | where isnotempty(backupFile) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, backupFile

// Detect an attacker saving current iptables rules to a file before flushing them DeviceProcessEvents | where FileName =~ "iptables-save" or ProcessCommandLine has "iptables-save" // keep only executions that appear to write the rules somewhere (redirection or -f switch) | where ProcessCommandLine has ">" or ProcessCommandLine has " -f" // try to capture the pathname that follows the redirection symbol ( ">" ) // or the pathname that follows the "-f" flag | extend BackupFileFromRedirect = extract(@">\s*([^\s;|&]+)", 1, ProcessCommandLine), BackupFileFromFlag = extract(@"-f\s+([^\s;|&]+)", 1, ProcessCommandLine) | extend BackupFileRaw = coalesce(BackupFileFromRedirect, BackupFileFromFlag) // strip quotes/back-ticks if the path was quoted | extend BackupFile = trim("'\"`", BackupFileRaw) | where isnotempty(BackupFile) // provide a concise view of where / when the back-up file was created | summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, BackupFile | sort by LastSeen desc

DeviceProcessEvents | where ProcessCommandLine contains "iptables-save" and ProcessCommandLine contains ">" | extend backup_filename = extract(@">\s*(\S+)", 1, ProcessCommandLine) | project TimeGenerated, backup_filename, ProcessCommandLine, FileName | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "iptables-save" and ProcessCommandLine has ">" | extend backup_file = extract(@">\s*([^\s]+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessCommandLine, backup_file | sort by TimeGenerated desc // This query identifies the file where the iptables-save output was redirected, revealing the backup filename used.

DeviceProcessEvents | where ProcessCommandLine contains "iptables-save" | extend BackupFile = extract(@">\s*(\S+)", 1, ProcessCommandLine) | where isnotempty(BackupFile) | summarize FirstSeen = min(TimeGenerated) by BackupFile, DeviceName, InitiatingProcessAccountName | order by FirstSeen desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "iptables-save" // Extract the filename immediately following the '>' redirection | extend BackupFile = extract(@"iptables-save\s*>\s*(\S+)", 1, ProcessCommandLine) | where isnotempty(BackupFile) // Summarize and sort by frequency to identify the specific file name used | summarize UsageCount = count() by BackupFile | sort by UsageCount desc | project BackupFile