Forum Discussion
Solved
Executables created and executed within a short time - Microsoft Defender ATP Query
I am trying to come up with an advanced hunting query in Defender ATP, that finds created files ending with .bat and .exe, and then searches for processes events on the same device no later than 30 m...
Wrote this and works good enough for my purposes. Couple of changes though. I had to include also FileRenamed, because chromium-based browsers create the files under different filename until the download is finished. Also, I separated hunting for PE executables (.exe, .com, .scr, .pif) and non-PE packages or scripts that are dependent upon native PE executables (.msi [msiexec.exe], .bat [cmd.exe], .vbs [cscript.exe], .hta [mshta.exe], .ps1 [powershell.exe] etc.).
Created and executed PE within 5 minutes in the last 3 days
DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".exe" or FileName endswith ".com" or FileName endswith ".scr" or FileName endswith ".pif"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where FolderPath == FolderPath1
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessFileName=FileName1, ProcHash=SHA2561
| project Created, PreviousFileName, Executed, Difference, DeviceName, ProcessFileName, FolderPath, AccountName, ProcessCommandLine, ProcHash
| order by Created desc
Created and executed Script within 5 minutes in the last 3 daysDeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".msi" or FileName endswith ".cmd" or FileName endswith ".bat"
or FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".vbe"
or FileName endswith ".vb" or FileName endswith ".vbscript" or FileName endswith ".wsf"
or FileName endswith ".wsh" or FileName endswith ".msp" or FileName endswith ".ps1"
or FileName endswith ".psm1" or FileName endswith ".psd1"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where ProcessCommandLine contains FileName
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessName=FileName1, FileHash=SHA256
| project Created, PreviousFileName, Executed, Difference, DeviceName, FileName, FolderPath, ProcessName, ProcessCommandLine, AccountName, FileHash
| order by Created desc
Wrote this and works good enough for my purposes. Couple of changes though. I had to include also FileRenamed, because chromium-based browsers create the files under different filename until the download is finished. Also, I separated hunting for PE executables (.exe, .com, .scr, .pif) and non-PE packages or scripts that are dependent upon native PE executables (.msi [msiexec.exe], .bat [cmd.exe], .vbs [cscript.exe], .hta [mshta.exe], .ps1 [powershell.exe] etc.).
Created and executed PE within 5 minutes in the last 3 days
DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".exe" or FileName endswith ".com" or FileName endswith ".scr" or FileName endswith ".pif"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where FolderPath == FolderPath1
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessFileName=FileName1, ProcHash=SHA2561
| project Created, PreviousFileName, Executed, Difference, DeviceName, ProcessFileName, FolderPath, AccountName, ProcessCommandLine, ProcHash
| order by Created desc
Created and executed Script within 5 minutes in the last 3 daysDeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".msi" or FileName endswith ".cmd" or FileName endswith ".bat"
or FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".vbe"
or FileName endswith ".vb" or FileName endswith ".vbscript" or FileName endswith ".wsf"
or FileName endswith ".wsh" or FileName endswith ".msp" or FileName endswith ".ps1"
or FileName endswith ".psm1" or FileName endswith ".psd1"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where ProcessCommandLine contains FileName
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessName=FileName1, FileHash=SHA256
| project Created, PreviousFileName, Executed, Difference, DeviceName, FileName, FolderPath, ProcessName, ProcessCommandLine, AccountName, FileHash
| order by Created desc
genckelmendi I tried using the same kind of query but only to block winrar. but it also blocked chrome for the users. any help?
union withsource=SourceTable DeviceFileEvents, DeviceProcessEvents| where Timestamp > ago(2d)| extend ReportId = coalesce(tostring(column_ifexists("ReportId", "")),column_ifexists("ReportId_string", ""),tostring(column_ifexists("ReportId_long","")))| where FileName contains "winrar" and InitiatingProcessFileName contains "explorer.exe"| where FileName endswith "exe"| where ActionType == "FileCreated" or ActionType == "ProcessCreated" or ActionType contains "FileRenamed"//| project Timestamp, DeviceName, DeviceId, ActionType, FileName, InitiatingProcessFileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessAccountUpn, ProcessCommandLine, AccountUpn, ReportId| order by Timestamp desc
