Query Details

Click Fix Lo L Bin Abuse

Query

//THX to Maurice Fielenbach https://www.linkedin.com/posts/mauricefielenbach_threathunting-dfir-cybersecurity-activity-7429953431588659200-c0zE/
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where (
    (FileName in~ ("wscript.exe", "cscript.exe") and ProcessCommandLine has "SyncAppvPublishingServer.vbs")
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("process", "call", "create"))
    or (FileName =~ "ssh.exe" and ProcessCommandLine has "ProxyCommand")
)
| where ProcessCommandLine has_any (
    "gal", "i*x",         
    "gcm", "*stM*",       
    "jsdelivr.net",       
    "github",             
    "powershell"          
)

About this query

Explanation

This query is designed to detect potentially malicious activities on Windows systems by monitoring specific command-line executions. It focuses on identifying suspicious use of certain Windows executables and keywords that are often associated with malicious behavior or obfuscation techniques. Here's a simplified breakdown:

  1. Time Frame: The query looks at events from the past 7 days.

  2. Targeted Executables:

    • wscript.exe or cscript.exe: These are Windows Script Host executables. The query checks if they are running a script named 'SyncAppvPublishingServer.vbs'.
    • wmic.exe: This is the Windows Management Instrumentation Command-line tool. The query checks if it is used with commands like 'process', 'call', or 'create'.
    • ssh.exe: This is the Secure Shell client. The query checks if it is used with the 'ProxyCommand' option.
  3. Suspicious Keywords: The query further filters the command lines to see if they contain any of the following keywords, which might indicate malicious activity:

    • "gal", "i*x", "gcm", "stM": These could be part of obfuscated commands or scripts.
    • "jsdelivr.net", "github": These are external resources that might be used to load malicious scripts or payloads.
    • "powershell": This is a powerful scripting language often used in attacks.

Overall, the query aims to identify suspicious command-line activities that could indicate abuse of legitimate Windows tools for malicious purposes, aligning with specific MITRE ATT&CK techniques.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 23, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessCommandLineFileNameTimestamp

Operators

//|where>=agoin~andhas=~orhas_any

MITRE Techniques

Actions

GitHub