Forum Discussion
Executables created and executed within a short time - Microsoft Defender ATP Query
- Mar 11, 2023
Wrote this and works good enough for my purposes. Couple of changes though. I had to include also FileRenamed, because chromium-based browsers create the files under different filename until the download is finished. Also, I separated hunting for PE executables (.exe, .com, .scr, .pif) and non-PE packages or scripts that are dependent upon native PE executables (.msi [msiexec.exe], .bat [cmd.exe], .vbs [cscript.exe], .hta [mshta.exe], .ps1 [powershell.exe] etc.).
Created and executed PE within 5 minutes in the last 3 days
DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".exe" or FileName endswith ".com" or FileName endswith ".scr" or FileName endswith ".pif"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where FolderPath == FolderPath1
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessFileName=FileName1, ProcHash=SHA2561
| project Created, PreviousFileName, Executed, Difference, DeviceName, ProcessFileName, FolderPath, AccountName, ProcessCommandLine, ProcHash
| order by Created desc
Created and executed Script within 5 minutes in the last 3 daysDeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".msi" or FileName endswith ".cmd" or FileName endswith ".bat"
or FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".vbe"
or FileName endswith ".vb" or FileName endswith ".vbscript" or FileName endswith ".wsf"
or FileName endswith ".wsh" or FileName endswith ".msp" or FileName endswith ".ps1"
or FileName endswith ".psm1" or FileName endswith ".psd1"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where ProcessCommandLine contains FileName
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessName=FileName1, FileHash=SHA256
| project Created, PreviousFileName, Executed, Difference, DeviceName, FileName, FolderPath, ProcessName, ProcessCommandLine, AccountName, FileHash
| order by Created desc
Wrote this and works good enough for my purposes. Couple of changes though. I had to include also FileRenamed, because chromium-based browsers create the files under different filename until the download is finished. Also, I separated hunting for PE executables (.exe, .com, .scr, .pif) and non-PE packages or scripts that are dependent upon native PE executables (.msi [msiexec.exe], .bat [cmd.exe], .vbs [cscript.exe], .hta [mshta.exe], .ps1 [powershell.exe] etc.).
Created and executed PE within 5 minutes in the last 3 days
DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".exe" or FileName endswith ".com" or FileName endswith ".scr" or FileName endswith ".pif"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where FolderPath == FolderPath1
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessFileName=FileName1, ProcHash=SHA2561
| project Created, PreviousFileName, Executed, Difference, DeviceName, ProcessFileName, FolderPath, AccountName, ProcessCommandLine, ProcHash
| order by Created desc
Created and executed Script within 5 minutes in the last 3 daysDeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".msi" or FileName endswith ".cmd" or FileName endswith ".bat"
or FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".vbe"
or FileName endswith ".vb" or FileName endswith ".vbscript" or FileName endswith ".wsf"
or FileName endswith ".wsh" or FileName endswith ".msp" or FileName endswith ".ps1"
or FileName endswith ".psm1" or FileName endswith ".psd1"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where ProcessCommandLine contains FileName
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessName=FileName1, FileHash=SHA256
| project Created, PreviousFileName, Executed, Difference, DeviceName, FileName, FolderPath, ProcessName, ProcessCommandLine, AccountName, FileHash
| order by Created desc
- takeshiscatsleNov 17, 2023Copper Contributor
genckelmendi I tried using the same kind of query but only to block winrar. but it also blocked chrome for the users. any help?
union withsource=SourceTable DeviceFileEvents, DeviceProcessEvents| where Timestamp > ago(2d)| extend ReportId = coalesce(tostring(column_ifexists("ReportId", "")),column_ifexists("ReportId_string", ""),tostring(column_ifexists("ReportId_long","")))| where FileName contains "winrar" and InitiatingProcessFileName contains "explorer.exe"| where FileName endswith "exe"| where ActionType == "FileCreated" or ActionType == "ProcessCreated" or ActionType contains "FileRenamed"//| project Timestamp, DeviceName, DeviceId, ActionType, FileName, InitiatingProcessFileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessAccountUpn, ProcessCommandLine, AccountUpn, ReportId| order by Timestamp desc