Anti Lock Or Idle Software
Query
//This query looks for files or processes known to keep PC awake and bypass screen lock timeout
let searchterms = dynamic(["MouseJiggle", "jiggle", "MoveMouse", "mousemove", "AutoClick", "Auto-Click", "Auto Click", "MadKey", "KeyPress", "Presser", "Wiggle", "TinyTask", "tinytask.exe", "Tiny Task", "Tiny-Task", "mouse click", "mouse-click", "mouseclick", "auto press", "autopress", "auto-press", "mouse macro", "mouse-macro", "sleep preventer","PowerToys.Awake.exe","Amphetamine","caffeine"]);
let FileEvents = DeviceFileEvents
| where ActionType <> "FileDeleted"
| where isnotempty(SHA256)
| where FileName has_any (searchterms)
| where FileName !endswith ".pdf" and FileName !endswith ".gif" and FileName !has "msedge.exe" and FileName != "iexplore.exe" and FileName != "AcroRd32.exe"
| extend MOTW = replace_string(FileOriginUrl,'.','[.]')
| extend MOTW_VT = iff(isnotempty(MOTW),strcat(@"https://www.virustotal.com/gui/url/",hash_sha256(FileOriginUrl)),MOTW)
| project InitiatingProcessAccountUpn, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName,MOTW_VT, SHA1;
let ProcessEvents = DeviceProcessEvents
| where ProcessCommandLine has_any (searchterms) or FileName has_any (searchterms)
| where FileName !endswith ".pdf" and FileName !endswith ".gif" and FileName !has "msedge.exe" and FileName != "iexplore.exe" and FileName != "AcroRd32.exe"
| where isnotempty(SHA256)
| project AccountUpn, DeviceName, FileName, FolderPath, SHA256, SHA1;
FileEvents
| union ProcessEvents
| extend account = iif(isnotempty(InitiatingProcessAccountUpn), account = InitiatingProcessAccountUpn, iif(isnotempty(AccountUpn),account = AccountUpn,account = InitiatingProcessAccountName))
| project-away InitiatingProcessAccountUpn, AccountUpn
| extend VirusTotal = strcat("https://www.virustotal.com/gui/file/",SHA256)
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| distinct DeviceName, FileName, FolderPath, SHA256, account, Signer,Issuer, MOTW_VT, VirusTotal
| project-reorder account, DeviceName, FileName, FolderPath, Signer, Issuer, MOTW_VT, VirusTotal, SHA256
| extend Account_0_Name = account
| extend Host_0_HostName = DeviceName
| extend File_0_Name = FileName
| extend File_0_Directory = FolderPath
| extend FileHash_0_Value = SHA256Explanation
This query is designed to identify files or processes on a device that are known to prevent a PC from going to sleep or bypass the screen lock timeout. Here's a simplified breakdown of what the query does:
-
Define Search Terms: It starts by defining a list of keywords related to programs that might keep a PC awake, such as "MouseJiggle", "AutoClick", "TinyTask", etc.
-
Search for File Events:
- It looks into
DeviceFileEventsfor files that match any of the defined keywords. - It excludes files that have been deleted and ensures the file has a SHA256 hash.
- It filters out certain file types and specific programs like PDF readers and web browsers.
- It creates a link to VirusTotal for files with a known origin URL.
- It looks into
-
Search for Process Events:
- It examines
DeviceProcessEventsfor processes whose command lines or file names match the keywords. - Similar exclusions and filters are applied as in the file events search.
- It collects relevant details like account information and file paths.
- It examines
-
Combine Results:
- It merges the results from both file and process events.
- It ensures that account information is captured, preferring the initiating process account if available.
- It generates a VirusTotal link for each file based on its SHA256 hash.
-
Join with Certificate Information:
- It attempts to join the results with
DeviceFileCertificateInfoto get certificate details like the signer and issuer.
- It attempts to join the results with
-
Output:
- It outputs a distinct list of devices, files, and related information, including account names, file paths, and links to VirusTotal.
- The results are organized to show account names, device names, file names, directories, and file hashes.
Overall, this query helps in identifying potentially suspicious activities related to keeping a PC awake by examining specific files and processes, and it provides additional context through links to VirusTotal and certificate information.
Details

Jay Kerai
Released: December 5, 2024
Tables
Keywords
Operators