Advanced Multi Stage Linux Enumeration Post Exploitation Detector
Query
// ============================================================================
// Linux Discovery & Enumeration Detection
// Detect post-exploitation discovery with minimal false positives
// ============================================================================
let timeframe = 4h;
let threshold = 5;
// --- ALLOWLISTS (adjust to your environment!) ---
let excludedAccounts = dynamic([
"zabbix", "nagios", "icinga", "datadog", "telegraf", "prometheus",
"collectd", "splunk", "omsagent", "waagent", "nessus", "qualys",
"rapid7", "ansible", "puppet", "chef", "salt", "cfagent",
"pcp", "sysstat", "munin", "cacti", "xymon"
]);
let excludedParentImages = dynamic([
"ansible", "ansible-playbook", "puppet", "chef-client", "salt-minion",
"salt-call", "cfagent", "zabbix_agentd", "nagios", "nrpe",
"collectd", "telegraf", "datadog-agent", "omsagent",
"omi", "auoms", "qualys-cloud-agent", "nessus",
"cron", "crond", "anacron", "atd"
]);
// --- PATTERN DEFINITIONS ---
let suspiciousPatterns = dynamic([
// User & Identity Discovery
"whoami", "getent passwd", "cat /etc/passwd", "cat /etc/shadow",
"cat /etc/group", "lastlog",
// System Info Discovery
"uname -a", "cat /etc/os-release", "hostnamectl", "lsb_release",
"dmidecode", "cat /proc/version", "cat /proc/cpuinfo",
// Privilege Escalation Enumeration
"sudo -l", "find / -perm", "find / -suid", "find / -sgid",
"find / -writable", "getcap -r",
// Persistence Enumeration
"crontab -l", "cat /etc/crontab", "ls /etc/cron",
"systemctl list-unit-files", "service --status-all",
"ls /etc/init.d", "cat /etc/rc.local",
// Process & Service Discovery
"ps aux", "ps -ef", "pstree", "lsof -i",
// Network Discovery
"netstat -", "ss -tulpn", "ss -antp", "arp -a", "ip addr", "ip route",
"ifconfig", "route -n", "cat /etc/hosts", "cat /etc/resolv.conf",
"nmap ", "masscan ",
// Credential Hunting
"id_rsa", "id_dsa", "id_ecdsa", "id_ed25519",
"cat /etc/ssh", ".ssh/config", ".ssh/authorized_keys",
"find / -name *.pem", "find / -name *.key",
"find / -name *.pfx", "find / -name *.p12",
".bash_history", ".mysql_history", ".psql_history",
// Environment Discovery
"printenv", "cat /etc/environment", "cat /proc/net",
// Filesystem / Config Hunting
"cat /etc/fstab",
"find / -name wp-config", "find / -name config.php",
"find / -name .env", "find / -name database.yml",
"find / -name web.config",
// Software / Package Discovery
"dpkg -l", "rpm -qa", "apt list --installed", "pip list", "pip3 list",
// Container / Cloud Discovery
"cat /proc/1/cgroup", "ls /.dockerenv",
"curl 169.254.169.254", "wget 169.254.169.254",
"curl metadata.google", "wget metadata.google",
// LOTL Tool Detection
"which gcc", "which python", "which perl", "which ruby",
"which nc", "which ncat", "which socat",
"which wget", "which curl", "which nmap"
]);
// --- MAIN QUERY ---
DeviceProcessEvents
| where TimeGenerated > ago(timeframe)
| where ProcessCommandLine has_any (suspiciousPatterns)
| where AccountName !in (excludedAccounts)
| where InitiatingProcessFileName !in~ (excludedParentImages)
| where not(
InitiatingProcessCommandLine has_any ("ansible", "puppet", "chef", "salt-call", "cfengine")
and InitiatingProcessFileName !in~ ("bash", "sh", "zsh", "python", "python3")
)
// ---- Kategorisierung ----
| extend NormalizedCommand = case(
// --- High Risk ---
ProcessCommandLine has "sudo -l"
or ProcessCommandLine has "find / -perm"
or ProcessCommandLine has "find / -suid"
or ProcessCommandLine has "find / -sgid"
or ProcessCommandLine has "find / -writable"
or ProcessCommandLine has "getcap -r",
"Privilege_Escalation_Enum",
ProcessCommandLine has "id_rsa"
or ProcessCommandLine has "id_dsa"
or ProcessCommandLine has "id_ecdsa"
or ProcessCommandLine has "id_ed25519"
or ProcessCommandLine has "find / -name *.pem"
or ProcessCommandLine has "find / -name *.key"
or ProcessCommandLine has "find / -name *.pfx"
or ProcessCommandLine has ".ssh/config"
or ProcessCommandLine has ".ssh/authorized_keys"
or ProcessCommandLine has "cat /etc/shadow",
"Credential_Hunting",
ProcessCommandLine has "cat /proc/1/cgroup"
or ProcessCommandLine has "ls /.dockerenv"
or ProcessCommandLine has "169.254.169.254"
or ProcessCommandLine has "metadata.google",
"Cloud_Container_Discovery",
// --- Medium Risk ---
ProcessCommandLine has "nmap "
or ProcessCommandLine has "masscan ",
"Active_Network_Scanning",
ProcessCommandLine has "crontab -l"
or ProcessCommandLine has "cat /etc/crontab"
or ProcessCommandLine has "ls /etc/cron"
or ProcessCommandLine has "systemctl list-unit-files"
or ProcessCommandLine has "service --status-all"
or ProcessCommandLine has "ls /etc/init.d"
or ProcessCommandLine has "cat /etc/rc.local",
"Persistence_Enum",
ProcessCommandLine has "find / -name wp-config"
or ProcessCommandLine has "find / -name config.php"
or ProcessCommandLine has "find / -name .env"
or ProcessCommandLine has "find / -name database.yml"
or ProcessCommandLine has "find / -name web.config",
"Config_File_Hunting",
ProcessCommandLine has ".bash_history"
or ProcessCommandLine has ".mysql_history"
or ProcessCommandLine has ".psql_history",
"History_Exfil",
ProcessCommandLine has "which gcc"
or ProcessCommandLine has "which python"
or ProcessCommandLine has "which perl"
or ProcessCommandLine has "which nc"
or ProcessCommandLine has "which ncat"
or ProcessCommandLine has "which socat"
or ProcessCommandLine has "which wget"
or ProcessCommandLine has "which curl"
or ProcessCommandLine has "which nmap",
"LOTL_Tool_Discovery",
// --- Low Risk ---
ProcessCommandLine has "whoami"
or ProcessCommandLine has "getent passwd"
or ProcessCommandLine has "cat /etc/passwd"
or ProcessCommandLine has "cat /etc/group"
or ProcessCommandLine has "lastlog",
"User_Discovery",
ProcessCommandLine has "uname"
or ProcessCommandLine has "cat /etc/os-release"
or ProcessCommandLine has "hostnamectl"
or ProcessCommandLine has "lsb_release"
or ProcessCommandLine has "dmidecode"
or ProcessCommandLine has "cat /proc/version",
"System_Info_Discovery",
ProcessCommandLine has "ps aux"
or ProcessCommandLine has "ps -ef"
or ProcessCommandLine has "pstree"
or ProcessCommandLine has "lsof -i",
"Process_Discovery",
ProcessCommandLine has "netstat"
or ProcessCommandLine has "ss -tulpn"
or ProcessCommandLine has "ss -antp"
or ProcessCommandLine has "arp -a"
or ProcessCommandLine has "ip addr"
or ProcessCommandLine has "ip route"
or ProcessCommandLine has "ifconfig"
or ProcessCommandLine has "cat /etc/hosts"
or ProcessCommandLine has "cat /etc/resolv.conf",
"Network_Discovery",
ProcessCommandLine has "printenv"
or ProcessCommandLine has "cat /etc/environment"
or ProcessCommandLine has "cat /proc/net",
"Environment_Discovery",
ProcessCommandLine has "dpkg -l"
or ProcessCommandLine has "rpm -qa"
or ProcessCommandLine has "apt list --installed"
or ProcessCommandLine has "pip list",
"Software_Discovery",
"other"
)
| where NormalizedCommand != "other"
// --- Aggregation ---
| summarize
UniqueCommandCount = dcount(ProcessCommandLine),
DetectedCategories = make_set(NormalizedCommand),
DetailedCommands = make_set(ProcessCommandLine, 25),
CommandCount = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
ReportId = take_any(ReportId) // Single ReportId für Custom Detection
by DeviceId, DeviceName, AccountName
| where UniqueCommandCount >= threshold
// --- Risk Scoring ---
| extend RiskScore =
iif(set_has_element(DetectedCategories, "Credential_Hunting"), 3, 0)
+ iif(set_has_element(DetectedCategories, "Privilege_Escalation_Enum"), 3, 0)
+ iif(set_has_element(DetectedCategories, "Cloud_Container_Discovery"), 3, 0)
+ iif(set_has_element(DetectedCategories, "Active_Network_Scanning"), 2, 0)
+ iif(set_has_element(DetectedCategories, "Persistence_Enum"), 2, 0)
+ iif(set_has_element(DetectedCategories, "Config_File_Hunting"), 2, 0)
+ iif(set_has_element(DetectedCategories, "History_Exfil"), 2, 0)
+ iif(set_has_element(DetectedCategories, "LOTL_Tool_Discovery"), 2, 0)
+ iif(set_has_element(DetectedCategories, "User_Discovery"), 1, 0)
+ iif(set_has_element(DetectedCategories, "System_Info_Discovery"), 1, 0)
+ iif(set_has_element(DetectedCategories, "Process_Discovery"), 1, 0)
+ iif(set_has_element(DetectedCategories, "Network_Discovery"), 1, 0)
+ iif(set_has_element(DetectedCategories, "Environment_Discovery"), 1, 0)
+ iif(set_has_element(DetectedCategories, "Software_Discovery"), 1, 0)
| extend ActivityDurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
// --- Severity Classification ---
| extend Severity = case(
RiskScore >= 12 and ActivityDurationMinutes between (1 .. 30), "Critical",
RiskScore >= 8, "High",
RiskScore >= 5 and UniqueCommandCount >= 7, "Medium",
"Low"
)
| where Severity in ("Critical", "High", "Medium")
// --- Final Projection ---
| project
Timestamp = FirstSeen,
DeviceId,
DeviceName,
AccountName,
Severity,
RiskScore,
UniqueCommandCount,
CommandCount,
ActivityDurationMinutes,
DetectedCategories,
DetailedCommands,
ReportId
| order by RiskScore desc, UniqueCommandCount desc
| where RiskScore >=10About this query
Explanation
This query is designed to detect suspicious activities on Linux systems that might indicate post-exploitation behavior, such as unauthorized access or malicious actions. Here's a simplified breakdown of what the query does:
-
Timeframe and Threshold: It looks at activities within the last 4 hours and focuses on cases where at least 5 unique suspicious commands are detected.
-
Allowlists: It excludes certain known and trusted accounts and processes (like monitoring tools) to reduce false positives.
-
Suspicious Patterns: The query identifies a wide range of suspicious command patterns that could indicate activities like:
- Credential hunting (searching for passwords or keys)
- Privilege escalation (attempting to gain higher access rights)
- Network and system discovery (gathering information about the system and network)
- Persistence mechanisms (methods to maintain access)
- Use of living-off-the-land (LOTL) tools (using built-in tools for malicious purposes)
-
Categorization: Detected commands are categorized into different risk levels (high, medium, low) based on their potential threat.
-
Aggregation: It summarizes the findings by counting unique commands, categorizing detected activities, and noting the time range of the activities.
-
Risk Scoring: A dynamic risk score is calculated based on the types of activities detected. Higher scores indicate more severe threats.
-
Severity Classification: The query assigns a severity level (Critical, High, Medium, Low) based on the risk score and the number of unique commands.
-
Filtering and Projection: Only activities with a severity of Medium or higher are considered, and the results are sorted by risk score. The final output includes details like the device name, account name, severity, risk score, and the specific commands detected.
Overall, this query helps security analysts identify potential security incidents by focusing on clusters of suspicious activities rather than isolated commands, making it a powerful tool for detecting active threats on Linux systems.
Details

Benjamin Zulliger
Released: March 9, 2026
Tables
Keywords
Operators