Query Details

Linux LO Lbin Downloads To Temporary Directories

Query

let LinuxDeviceIds =
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (LinuxDeviceIds)
| where Timestamp > ago(24h)
| where FileName in ("curl", "wget", "nc", "ncat", "openssl", "python", "python3", "perl")
| where ProcessCommandLine has_any ("/tmp", "/var/tmp", "/dev/shm")
| project
    Timestamp,
    DeviceName,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    ReportId
| order by Timestamp desc

About this query

Explanation

This KQL query is designed to help detect potential security threats on Linux systems by identifying the misuse of legitimate system tools, known as "living-off-the-land binaries" (LOLbins), to download files into temporary directories. Here's a simplified breakdown of the query and its purpose:

Purpose of the Query

  • Detecting Threats: The query aims to identify suspicious activities where attackers use built-in Linux tools to download and execute malicious payloads in temporary directories. This is a common tactic because it avoids leaving a significant footprint on the system.
  • Focus on Temporary Directories: Temporary directories like /tmp, /var/tmp, and /dev/shm are often used because they are writable by non-privileged users, not typically backed up, and can be cleared on reboot, making them attractive for attackers.

How the Query Works

  1. Identify Linux Devices: It first filters devices running Linux.
  2. Monitor Recent Activity: It looks at process events from the last 24 hours.
  3. Target Specific Tools: The query focuses on processes involving tools like curl, wget, nc, openssl, python, and perl, which are commonly abused by attackers.
  4. Check Command Lines: It checks if these tools are used with commands that involve temporary directories.
  5. Output Details: The query outputs details such as the timestamp, device name, file name, and command line used, which helps in investigating the context of the activity.

Why It Matters

  • Common Attack Pattern: This method of attack is prevalent in initial access and post-exploitation scenarios, making it crucial for threat hunting.
  • Legitimate Tools for Illegitimate Purposes: Attackers use trusted tools to avoid detection, making this query valuable for identifying such misuse.

When to Use This Query

  • Hunting for Initial Access: Useful for detecting early stages of an attack.
  • Investigating Suspicious Activity: Helps in examining unusual network behavior or red team exercises.
  • Detecting Fileless Attacks: Effective for identifying attacks that don't leave a significant on-disk footprint.

Considerations

  • Benign Activity: Some legitimate activities, like developer testing or CI/CD processes, might trigger this query, but such occurrences should be rare in most environments.
  • Testing: You can safely test the query by executing a harmless download command to see if it triggers the expected alert.

Overall, this query is a powerful tool for security teams to detect and investigate potential threats on Linux systems by focusing on the behavior and intent of processes rather than relying solely on file-system telemetry.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceProcessEvents

Keywords

LinuxDevicesProcessCommandLineDeviceNameFileNameReportId

Operators

letinwheredistinctagohas_anyprojectorder by

Actions

GitHub