Query Details
Plink Tunneling Forwarding
Query
Tags:
Query:
DeviceProcessEvents
| where ProcessCommandLine contains "*:" and ProcessCommandLine has_any("-L","-P", "-R", "-pw", "-ssh")| where InitiatingProcessFolderPath != @"/bin/bash" and FolderPath != @"/bin/bash"
References:
Explanation
The query is looking for DeviceProcessEvents where the ProcessCommandLine contains certain keywords and the InitiatingProcessFolderPath and FolderPath are not equal to "/bin/bash".
Details
Ali Hussein
Released: September 24, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ProcessCommandLine,InitiatingProcessFolderPath,FolderPath
Operators
|wherecontainsandhas_any!=