KQL Search

Query Details

HomeAI ToolsDevice Query

Anti Lock Or Idle Software

Query

//This query looks for files or processes known to keep PC awake and bypass screen lock timeout
let searchterms = dynamic(["MouseJiggle", "jiggle", "MoveMouse", "mousemove", "AutoClick", "Auto-Click", "Auto Click", "MadKey", "KeyPress", "Presser", "Wiggle", "TinyTask", "tinytask.exe", "Tiny Task", "Tiny-Task", "mouse click", "mouse-click", "mouseclick", "auto press", "autopress", "auto-press", "mouse macro", "mouse-macro", "sleep preventer","PowerToys.Awake.exe"]);
//
let FileEvents = DeviceFileEvents
| where ActionType <> "FileDeleted"
| where isnotempty(SHA256) 
| where FileName has_any (searchterms)
| where FileName !endswith ".pdf" and FileName !endswith ".gif" and FileName !has "msedge.exe" and FileName != "iexplore.exe" and FileName != "AcroRd32.exe"
| extend MOTW = replace_string(FileOriginUrl,'.','[.]')
| extend MOTW_VT = iff(isnotempty(MOTW),strcat(@"https://www.virustotal.com/gui/url/",hash_sha256(FileOriginUrl)),MOTW)
| project InitiatingProcessAccountUpn, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName,MOTW_VT, SHA1; 
//
let ProcessEvents = DeviceProcessEvents
| where ProcessCommandLine has_any (searchterms) or FileName has_any (searchterms)
| where FileName !endswith ".pdf" and FileName !endswith ".gif" and FileName !has "msedge.exe" and FileName != "iexplore.exe" and FileName != "AcroRd32.exe"
| where isnotempty(SHA256) 
| project AccountUpn, DeviceName, FileName, FolderPath, SHA256, SHA1;
//
FileEvents
| union ProcessEvents
| extend account = iif(isnotempty(InitiatingProcessAccountUpn), account = InitiatingProcessAccountUpn, iif(isnotempty(AccountUpn),account = AccountUpn,account = InitiatingProcessAccountName))
| project-away InitiatingProcessAccountUpn, AccountUpn
| extend VirusTotal = strcat("https://www.virustotal.com/gui/file/",SHA256)
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| distinct DeviceName, FileName, FolderPath, SHA256, account, Signer,Issuer, MOTW_VT, VirusTotal
| project-reorder account, DeviceName, FileName, FolderPath, Signer, Issuer, MOTW_VT, VirusTotal, SHA256
| extend Account_0_Name = account
| extend Host_0_HostName = DeviceName
| extend File_0_Name = FileName
| extend File_0_Directory = FolderPath
| extend FileHash_0_Value = SHA256

Explanation

This query is designed to identify files or processes on a computer that are known to prevent the PC from going to sleep or bypass the screen lock timeout. Here's a simple breakdown of what the query does:

  1. Define Search Terms: It starts by defining a list of keywords (searchterms) that are associated with applications or scripts that can keep a PC awake, such as "MouseJiggle", "AutoClick", "TinyTask", etc.

  2. File Events:

    • It searches through device file events to find files that match any of the keywords in searchterms.
    • It excludes files that have been deleted and ensures the file has a SHA256 hash.
    • It filters out certain file types and specific applications like PDF readers and web browsers.
    • It creates a link to VirusTotal for files with a web origin, allowing further investigation of the file's reputation.

  3. Process Events:

    • It searches through device process events for processes that match the searchterms either in the command line or file name.
    • Similar to file events, it excludes certain file types and specific applications and ensures the process has a SHA256 hash.

  4. Combine Results:

    • It combines the results from both file and process events.
    • It determines the account associated with each event.
    • It creates a link to VirusTotal for each file based on its SHA256 hash.

  5. Join with Certificate Info:

    • It attempts to join the results with certificate information to identify the signer and issuer of the files.

  6. Output:

    • It produces a distinct list of devices, files, and associated information, including account names, file paths, and links to VirusTotal.
    • It organizes the output into a structured format with specific fields for account name, device name, file name, directory, and file hash.

Overall, this query helps in identifying potentially suspicious applications or scripts that might be used to keep a computer awake or bypass security measures, providing detailed information for further investigation.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 14, 2024

Tables

DeviceFileEventsDeviceProcessEventsDeviceFileCertificateInfo

Keywords

DeviceFileEventsProcessEventsAccountFileFolderPathSignerIssuerVirusTotal

Operators

letdynamic|whereisnotemptyhas_any!endswith!has!=extendreplace_stringiffstrcathash_sha256projectorunioniifproject-awayjoinkind=leftouterdistinctproject-reorder

Actions