Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains "Bookmarks" | where ProcessCommandLine contains "dir" or ProcessCommandLine contains "findstr" or ProcessCommandLine contains "Get-ChildItem" | distinct FileName

DeviceProcessEvents | where ProcessCommandLine has "Bookmarks" and ( ProcessCommandLine has "C:\\Users" or ProcessCommandLine has "%USERPROFILE%" ) and ( FileName =~ "cmd.exe" or FileName =~ "powershell.exe" or FileName =~ "where.exe" or FileName =~ "dir.exe" ) | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessParentFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine contains "Bookmarks" | where ProcessCommandLine matches regex @".*\\Users\\.*" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine | summarize count() by InitiatingProcessFileName, ProcessCommandLine | order by count_ desc

DeviceProcessEvents | where ProcessCommandLine has_any ("/s", "-Recurse", "-Recurse -Path") | where FileName in ("cmd.exe", "powershell.exe", "cscript.exe") | where ProcessCommandLine contains "Bookmarks" or FolderPath contains "Bookmarks" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FolderPath

DeviceProcessEvents | where ProcessCommandLine contains "Bookmarks" | where ProcessCommandLine contains "Users" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine

let bookmarksRegex = @"(?i)\bbookmarks\b"; let usersRegex = @"(?i)c:\\users"; DeviceProcessEvents | where ActionType == "ProcessCreated" | where isnotempty(ProcessCommandLine) | where ProcessCommandLine matches regex bookmarksRegex | where ProcessCommandLine matches regex usersRegex | extend Utility = case( FileName =~ "where.exe" and ProcessCommandLine has "/r", "where.exe", FileName =~ "cmd.exe" and ProcessCommandLine matches regex @"(?i)\bdir\b.*?(/s|/b)", "cmd.exe (dir)", (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and ProcessCommandLine matches regex @"(?i)\b(get-childitem|gci|ls|dir)\b.*?-recurse\b", "PowerShell (Get-ChildItem)", FileName =~ "cmd.exe" and ProcessCommandLine matches regex @"(?i)\bfor\s+/r\b", "cmd.exe (for /r)", FileName) | where Utility in ("where.exe", "cmd.exe (dir)", "PowerShell (Get-ChildItem)", "cmd.exe (for /r)") | summarize ExecCount=dcount(ProcessId), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), SampleCommand=arg_max(TimeGenerated, ProcessCommandLine) by DeviceName, Utility | order by ExecCount desc, LastSeen desc

// Find processes that searched for files named 'Bookmarks' under user profile paths union isfuzzy=true ( DeviceProcessEvents | extend Cmd = tolower(ProcessCommandLine) | where isnotempty(Cmd) and Cmd contains "bookmarks" and (Cmd contains "\\users\\" or Cmd contains "c:\\users" or Cmd contains "users/") | extend ProcPath = trim('"', tostring(split(ProcessCommandLine, ' ')[0])) | extend ProcName = tolower(split(ProcPath, '\\')[-1]) | project Timestamp, DeviceName, ProcName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ), ( DeviceEvents | extend Cmd = tolower(coalesce(ProcessCommandLine, InitiatingProcessCommandLine)) | where isnotempty(Cmd) and Cmd contains "bookmarks" and (Cmd contains "\\users\\" or Cmd contains "c:\\users" or Cmd contains "users/") | extend ProcPath = trim('"', tostring(split(coalesce(ProcessCommandLine, InitiatingProcessCommandLine), ' ')[0])) | extend ProcName = tolower(split(ProcPath, '\\')[-1]) | project Timestamp, DeviceName, ProcName, ProcessId, ProcessCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ) | order by Timestamp desc | summarize events = count(), exampleCommand = any(ProcessCommandLine), firstSeen = min(Timestamp), lastSeen = max(Timestamp) by ProcName, DeviceName | order by events desc | limit 100

// Find events accessing files named 'Bookmarks' under user profiles and summarize by the initiating process and command line let files = DeviceFileEvents | where tolower(FileName) == "bookmarks" | where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\" | project TimeGenerated, DeviceName, Source = "DeviceFileEvents", ProcFileName = InitiatingProcessFileName, ProcCommandLine = InitiatingProcessCommandLine, ProcId = InitiatingProcessId, FolderPath; let procs = DeviceProcessEvents | where tolower(ProcessCommandLine) has "bookmarks" or ProcessCommandLine matches regex @"(?i)dir\s+\/s|get-childitem|gci\s+(-|--)?recurse|where\s+\/r|forfiles|for\s+\/r" | project TimeGenerated, DeviceName, Source = "DeviceProcessEvents", ProcFileName = FileName, ProcCommandLine = ProcessCommandLine, ProcId = ProcessId, FolderPath = FolderPath; union files, procs | summarize Events = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ProcFileName, ProcCommandLine, DeviceName | order by Events desc // The ProcFileName typically reveals the command-line utility (e.g., cmd.exe, powershell.exe, forfiles.exe, where.exe).

union DeviceProcessEvents, DeviceEvents, DeviceFileEvents | project TimeGenerated, DeviceName, ProcessFile = coalesce(FileName, InitiatingProcessFileName), ProcessId = coalesce(ProcessId, InitiatingProcessId), Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(Cmd) | extend CmdLower = tolower(Cmd) // Look for commands mentioning the target filename and common recursion/search indicators | where CmdLower contains "bookmarks" and ( CmdLower contains "-recurse" or CmdLower contains "get-childitem" or CmdLower contains " gci " or CmdLower contains "/s" or CmdLower contains "/r" or CmdLower contains "where " or CmdLower contains "findstr" or CmdLower contains "for /r" or (CmdLower contains "dir" and CmdLower contains "/s") ) | extend DetectedUtility = case( CmdLower contains "get-childitem" or CmdLower contains " gci " or CmdLower contains "powershell", "PowerShell (Get-ChildItem)", CmdLower contains "findstr" and CmdLower contains "/s", "findstr", CmdLower contains "where" and CmdLower contains "/r", "where.exe", CmdLower contains "for /r" or CmdLower contains "for / r", "cmd (for /r)", CmdLower contains "dir" and CmdLower contains "/s", "cmd (dir /s)", "Unknown") | summarize Count = count(), SampleCommands = make_list(Cmd, 5), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DetectedUtility, DeviceName, ProcessFile | order by Count desc, LastSeen desc | project DetectedUtility, DeviceName, ProcessFile, Count, FirstSeen, LastSeen, SampleCommands

DeviceProcessEvents | where ProcessCommandLine contains "Bookmarks" and ProcessCommandLine contains "C:\\Users\\" | summarize Count = count() by InitiatingProcessCommandLine | order by Count desc | project InitiatingProcessCommandLine, Count

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "Bookmarks" | where ProcessCommandLine has_any ("C:\\Users", "/s", "-Recurse", "for /r", "Get-ChildItem") | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated >= ago(7d) | where ProcessCommandLine contains "Bookmarks" // look for references to Bookmarks | where ProcessCommandLine has_any ("C:\\Users", "C:/Users", "Users") // searching user-profile directories | summarize TotalSearches = count() by InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName | order by TotalSearches desc

DeviceProcessEvents // utility must be the Windows search tool | where FileName =~ "where.exe" // the search had to be recursive and for the file name of interest | where ProcessCommandLine contains "/r" and ProcessCommandLine contains "Bookmarks" // (optional) most searches start at the Users tree – keep those if present | where ProcessCommandLine contains "C:\\Users" or ProcessCommandLine contains "\\Users" // tidy up who and where | extend Account = iff(isempty(AccountDomain), AccountName, strcat(AccountDomain, "\\", AccountName)) | summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleCmd = any(ProcessCommandLine) by DeviceName, Account, Utility = tostring(FileName) | order by LastSeen desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "/r" and InitiatingProcessCommandLine has "Bookmarks" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine | summarize Count = count() by InitiatingProcessFileName, InitiatingProcessCommandLine | order by Count desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "where" and InitiatingProcessCommandLine has "/r" and InitiatingProcessCommandLine has "Bookmarks" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "Bookmarks" | where ProcessCommandLine has_any ("/s", "/r", "-Recurse") | where FileName in~ ("where.exe", "cmd.exe", "powershell.exe") | distinct FileName

DeviceProcessEvents | where FileName in ("cmd.exe","powershell.exe","where.exe","dir.exe") | where ProcessCommandLine has "Bookmarks" and ProcessCommandLine has @"C:\Users\" and ProcessCommandLine has_any ("/s","/r","-Recurse","-Filter") | summarize Hits = count() by FileName, ProcessCommandLine | order by Hits desc | take 5