Query Details
Asr Untrusted Executable Audited Query
Query
# Rule : Detection of Untrusted Executables in User Folders
## Description
This detection rule identifies untrusted executables within user directories that have been audited by Advanced Security Rules (ASR). Monitoring for untrusted executables is crucial because they can indicate the presence of malware or unauthorized software introduced into the system by malicious actors. This rule helps identify newly observed, globally rare executables within user folders that might have been introduced through various attack vectors.
This rule monitors for audited actions related to untrusted executables in user directories, focusing on files that are new and have low global prevalence.
## Detection Logic
- Monitors `DeviceEvents` for events where:
- The `ActionType` is "AsrUntrustedExecutableAudited".
- The `FolderPath` contains "users".
- The file has been seen globally within the last 3 days and has a global prevalence of less than or equal to 1.
## Tags
- Untrusted Executables
- User Directories
- Malware
- Suspicious Activity
- Advanced Security Rules (ASR)
## Search Query
```kql
DeviceEvents
| where FolderPath contains "users" and ActionType == "AsrUntrustedExecutableAudited"
| project Timestamp, ReportId, DeviceId, ProcessCommandLine, FileName, FolderPath, InitiatingProcessSHA1, InitiatingProcessFileName, SHA1
| invoke FileProfile("SHA1")
| where GlobalFirstSeen > ago(3d) and GlobalPrevalence <= 1
```
## Notes
This needs a bit of fine tunning to be enabled as a detection rule
Explanation
Summary of the Query
Purpose: This query is designed to detect untrusted executable files within user directories. These files are flagged by Advanced Security Rules (ASR) and are considered suspicious because they are new and have very low global prevalence, which could indicate potential malware or unauthorized software.
Detection Logic:
- Source of Data: The query looks at
DeviceEvents. - Conditions:
- The event's
ActionTypemust be "AsrUntrustedExecutableAudited". - The
FolderPathmust contain the word "users". - The file must have been first seen globally within the last 3 days.
- The file must have a global prevalence of 1 or less, indicating it is very rare.
- The event's
Query Breakdown:
- Filter Events: The query filters events where the
FolderPathcontains "users" and theActionTypeis "AsrUntrustedExecutableAudited". - Select Fields: It selects relevant fields such as
Timestamp,ReportId,DeviceId,ProcessCommandLine,FileName,FolderPath,InitiatingProcessSHA1,InitiatingProcessFileName, andSHA1. - File Profiling: It uses the
SHA1hash to profile the file. - Further Filtering: It further filters the results to include only files that were first seen globally within the last 3 days and have a global prevalence of 1 or less.
Tags:
- Untrusted Executables
- User Directories
- Malware
- Suspicious Activity
- Advanced Security Rules (ASR)
Notes:
- The query may need some adjustments before it can be fully enabled as a detection rule.
Simplified Explanation
This query helps identify potentially dangerous new executable files in user folders that are very rare globally. It focuses on files flagged by security rules and checks if they appeared in the last 3 days and are not commonly seen worldwide. This can help in spotting malware or unauthorized software early.
Details
Ali Hussein
Released: July 15, 2024
Tables
DeviceEvents
Keywords
DeviceEventsUserDirectoriesMalwareSuspiciousActivityAdvancedSecurityRules
Operators
==contains|projectinvoke>ago<=