cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Executables created and executed within a short time - Microsoft Defender ATP Query

genckelmendi
Copper Contributor

‎Mar 10 2023 07:48 AM - edited ‎Mar 10 2023 08:02 AM

‎Mar 10 2023 07:48 AM - edited ‎Mar 10 2023 08:02 AM

Executables created and executed within a short time - Microsoft Defender ATP Query

I am trying to come up with an advanced hunting query in Defender ATP, that finds created files ending with .bat and .exe, and then searches for processes events on the same device no later than 30 minutes from the creation time of the .bat/.exe file, that contain the created filename in Process CommandLine, OR that created filename is equal to Process FileName.

 

Examples. A setup.exe is downloaded and executed after 7 minutes (Process FileName is equal to Created FileName and the time window between these events is less than 30 minutes.) Alternatively, a setup.bat is downloaded and executed after 29 minutes, cmd.exe will be launched with the parameter /c "C:\Users\username\Downloads\setup.bat" - setup.bat is a substring (contained) within the Process CommandLine, and the interval between these events are less then 30 minutes.

 

Any help greatly appreciated. Thank you.

Labels:
1,877 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by genckelmendi (Copper Contributor)
genckelmendi

‎Mar 11 2023 03:37 AM - edited ‎Mar 11 2023 03:51 AM

‎Mar 11 2023 03:37 AM - edited ‎Mar 11 2023 03:51 AM

Solution

Re: Executables created and executed within a short time - Microsoft Defender ATP Query

@genckelmendi 

 

Wrote this and works good enough for my purposes. Couple of changes though. I had to include also FileRenamed, because chromium-based browsers create the files under different filename until the download is finished. Also, I separated hunting for PE executables (.exe, .com, .scr, .pif) and non-PE packages or scripts that are dependent upon native PE executables (.msi [msiexec.exe], .bat [cmd.exe], .vbs [cscript.exe], .hta [mshta.exe], .ps1 [powershell.exe] etc.). 

 

Created and executed PE within 5 minutes in the last 3 days

DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".exe" or FileName endswith ".com" or FileName endswith ".scr" or FileName endswith ".pif"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where FolderPath == FolderPath1
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessFileName=FileName1, ProcHash=SHA2561
| project Created, PreviousFileName, Executed, Difference, DeviceName, ProcessFileName, FolderPath, AccountName, ProcessCommandLine, ProcHash
| order by Created desc
Created and executed Script within 5 minutes in the last 3 days
DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".msi" or FileName endswith ".cmd" or FileName endswith ".bat"
or FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".vbe"
or FileName endswith ".vb" or FileName endswith ".vbscript" or FileName endswith ".wsf"
or FileName endswith ".wsh" or FileName endswith ".msp" or FileName endswith ".ps1"
or FileName endswith ".psm1" or FileName endswith ".psd1"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where ProcessCommandLine contains FileName
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessName=FileName1, FileHash=SHA256
| project Created, PreviousFileName, Executed, Difference, DeviceName, FileName, FolderPath, ProcessName, ProcessCommandLine, AccountName, FileHash
| order by Created desc
1 Like
Reply
takeshiscatsle

‎Nov 17 2023 08:02 AM

‎Nov 17 2023 08:02 AM

Re: Executables created and executed within a short time - Microsoft Defender ATP Query

@genckelmendi I tried using the same kind of query but only to block winrar. but it also blocked chrome for the users. any help?

union withsource=SourceTable DeviceFileEvents, DeviceProcessEvents
| where Timestamp > ago(2d)
| extend ReportId = coalesce(tostring(column_ifexists("ReportId", "")),column_ifexists("ReportId_string", ""),tostring(column_ifexists("ReportId_long","")))
| where FileName contains "winrar" and  InitiatingProcessFileName contains "explorer.exe"
| where FileName endswith "exe"
| where ActionType == "FileCreated" or ActionType == "ProcessCreated" or ActionType contains "FileRenamed"
//| project Timestamp, DeviceName, DeviceId, ActionType, FileName, InitiatingProcessFileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessAccountUpn, ProcessCommandLine, AccountUpn, ReportId
| order by Timestamp desc
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by genckelmendi (Copper Contributor)
genckelmendi

‎Mar 11 2023 03:37 AM - edited ‎Mar 11 2023 03:51 AM

‎Mar 11 2023 03:37 AM - edited ‎Mar 11 2023 03:51 AM

Solution

Re: Executables created and executed within a short time - Microsoft Defender ATP Query

@genckelmendi 

 

Wrote this and works good enough for my purposes. Couple of changes though. I had to include also FileRenamed, because chromium-based browsers create the files under different filename until the download is finished. Also, I separated hunting for PE executables (.exe, .com, .scr, .pif) and non-PE packages or scripts that are dependent upon native PE executables (.msi [msiexec.exe], .bat [cmd.exe], .vbs [cscript.exe], .hta [mshta.exe], .ps1 [powershell.exe] etc.). 

 

Created and executed PE within 5 minutes in the last 3 days

DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".exe" or FileName endswith ".com" or FileName endswith ".scr" or FileName endswith ".pif"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where FolderPath == FolderPath1
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessFileName=FileName1, ProcHash=SHA2561
| project Created, PreviousFileName, Executed, Difference, DeviceName, ProcessFileName, FolderPath, AccountName, ProcessCommandLine, ProcHash
| order by Created desc
Created and executed Script within 5 minutes in the last 3 days
DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated" or ActionType == "FileRenamed"
| where FileName endswith ".msi" or FileName endswith ".cmd" or FileName endswith ".bat"
or FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".vbe"
or FileName endswith ".vb" or FileName endswith ".vbscript" or FileName endswith ".wsf"
or FileName endswith ".wsh" or FileName endswith ".msp" or FileName endswith ".ps1"
or FileName endswith ".psm1" or FileName endswith ".psd1"
| join kind=inner (DeviceProcessEvents)
on DeviceId
| where Timestamp1 > ago(72h)
| where ProcessCommandLine contains FileName
| where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe"
| where (Timestamp1 - Timestamp) < timespan(5m) and (Timestamp1 - Timestamp) > timespan(0m)
| extend Difference = Timestamp1 - Timestamp
| project-rename Created=Timestamp, Executed=Timestamp1, ProcessName=FileName1, FileHash=SHA256
| project Created, PreviousFileName, Executed, Difference, DeviceName, FileName, FolderPath, ProcessName, ProcessCommandLine, AccountName, FileHash
| order by Created desc

View solution in original post

1 Like
Reply