Query Details
Copytmptousers
Query
Tags: Query: union DeviceFileEvents, DeviceProcessEvents | where Timestamp >= ago(7d) | where FileName == "cp" and ProcessCommandLine contains "Users" and ProcessCommandLine contains "tmp" and FileName != "vpndownloader" and ProcessCommandLine !contains "generic/kernel/drivers/regulator/userspace-consumer.ko" and ProcessCommandLine != "/bin/cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist.old" and InitiatingProcessCommandLine !contains "Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework" Resoruces:
Explanation
The query is looking for events in the DeviceFileEvents and DeviceProcessEvents tables that meet certain conditions. The conditions include a specific timestamp range, a specific file name, and specific keywords in the process command line. The query also excludes certain file names and process command lines.
Details
Ali Hussein
Released: October 26, 2023
Tables
DeviceFileEventsDeviceProcessEvents
Keywords
Devices,Intune,User
Operators
unionwhereagocontains!=!contains