Query Details
PKEXEC
Query
//Looking for pkexec command-lines run by root DeviceProcessEvents | where ProcessCommandLine has "pkexec" and AccountName == "root" | project DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName
Explanation
This query is looking for instances where the "pkexec" command-line is run by the "root" account. It retrieves information about the device name, the command-line used, the command-line of the process that initiated it, and the filename of the parent process.
Details
Rod Trent
Released: January 26, 2022
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ProcessCommandLine,AccountName,DeviceName,InitiatingProcessCommandLine,InitiatingProcessParentFileName
Operators
wherehasand==project