Query Details
Linux Privileged Command Detection
Query
//This query detects suspicious privileged escalation commands on Linux servers
//Monitors syslog for commands like chmod, chown, sudo, etc.
Syslog
| where SyslogMessage has_any ("chmod", "chown", "sudo -i", "su", "adduser", "passwd", "deluser")
| extend User = extract("USER=([^ ]+)", 1, SyslogMessage)
| extend CommandLine = extract("COMMAND=([^ ]+)", 1, SyslogMessage)
| summarize EventCount = count() by Computer, User, CommandLine Explanation
This query is designed to identify potentially suspicious activities related to privilege escalation on Linux servers by analyzing system log messages (syslog). Here's a breakdown of what it does:
-
Monitors Specific Commands: It looks for log entries that contain certain commands often associated with privilege escalation, such as
chmod,chown,sudo -i,su,adduser,passwd, anddeluser. -
Extracts User Information: For each log entry that matches, it extracts the username associated with the command using a pattern that looks for "USER=" followed by the username.
-
Extracts Command Details: It also extracts the specific command that was executed, using a pattern that looks for "COMMAND=" followed by the command details.
-
Counts Events: Finally, it counts how many times each combination of computer, user, and command line appears in the logs, summarizing the results by these fields.
In simple terms, this query helps detect and summarize potentially risky command executions on Linux servers by focusing on specific commands and tracking who executed them and on which machine.
Details
Vighnesh Sivanesan
Released: November 10, 2024
Tables
Keywords
Operators