Forum Discussion
Appdomain hijack - kql query for detection
Hello guys Anyone of you familiar with appdomain hijacking detection query???? #kql
DeviceFileEvents
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains "exe.config"
just completed splitting the filename and extension .now the idea is to see if the file name matches and one file extension is .exe and other fileextension is .exe.config
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains "exe.config"
just completed splitting the filename and extension .now the idea is to see if the file name matches and one file extension is .exe and other fileextension is .exe.config
Hey Cyberworm
love the idea.
Again this is kinda rough but with some work it should play nicely.
DeviceFileEvents
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains @".config" or FileExtension =~ @".exe"
| summarize count() by FileNameOnly
| where _count > 1
Will be able to play around and test this out tomorrow but if you get there first let me know how it goes.
Thanks,
Dylan
- I am getting lost now....lol . this detection getting complex for me . I think its good if joining the file creation events happened in one min or 2 min , then comparing the filename prefixes and extension in first table and second table . see if first and second matches for filenames withoutextension.
- Getting lot of false positives... may be my logic is wrong here.