KQL Search

Query Details

HomeAI ToolsDevice Query

Creation Of Spoof Directories With Unicode Characters

Query

// Custom detection for the creation of spoof directories with Unicode characters
//Source: https://rogierdijkman.medium.com/detecting-edr-bypass-using-path-masquerading-fcfeb7339751
  let unicodeWhitespace = dynamic([
      "\u2000"
      , "\u2001"
      , "\u2002"
      , "\u2003"
      , "\u2004"
      , "\u2005"
      , "\u2006"
      , "\u2007"
      , "\u2008"
      , "\u2009"
      , "\u200A"
  ]);
  let suspiciousProcesses = dynamic([
      "powershell.exe"
      , "cmd.exe"
      , "mshta.exe"
      , "wscript.exe"
      , "cscript.exe"
  ]);
  DeviceFileEvents
  //| where Timestamp >= ago(1h)
  // Exclude system-level processes
  | where InitiatingProcessAccountName != "SYSTEM"
  // Filter for known suspicious processes
  | where InitiatingProcessFileName in (suspiciousProcesses)
  | where FolderPath has_any (unicodeWhitespace)
  | extend AccountDomain = tostring(split(InitiatingProcessAccountName, "\\")[0]), AccountName = tostring(split(InitiatingProcessAccountName, "\\")[1])
  // Exclude NT AUTHORITY domain
  | where AccountDomain != "NT AUTHORITY"
  | project 
    Timestamp
    , DeviceName
    , InitiatingProcessAccountName
    , InitiatingProcessAccountUpn
    , FolderPath
    , InitiatingProcessFileName
    , InitiatingProcessCommandLine
  | order by Timestamp

Explanation

This KQL query is designed to detect potentially malicious activities involving the creation of directories with spoofed names using Unicode whitespace characters. Here's a simplified breakdown of what the query does:

  1. Define Unicode Whitespace Characters: It sets up a list of Unicode whitespace characters that might be used to disguise directory names.

  2. Identify Suspicious Processes: It specifies a list of processes that are considered suspicious, such as powershell.exe, cmd.exe, and others commonly used in scripting or command execution.

  3. Filter Device File Events: The query looks at events related to file operations on devices.

  4. Exclude System-Level Processes: It filters out events initiated by the "SYSTEM" account, focusing on user-level activities.

  5. Check for Suspicious Processes: It further filters the events to only include those initiated by the suspicious processes listed earlier.

  6. Detect Unicode Whitespace in Folder Paths: It checks if any folder paths contain the defined Unicode whitespace characters, which could indicate an attempt to disguise the directory name.

  7. Extract Account Information: It splits the account name to separate the domain and the user name for further analysis.

  8. Exclude NT AUTHORITY Domain: It filters out events associated with the "NT AUTHORITY" domain to focus on user accounts.

  9. Select and Order Relevant Information: Finally, it selects specific fields like the timestamp, device name, account information, folder path, and command line used by the initiating process, and orders the results by timestamp for easier analysis.

This query helps in identifying potential security threats by spotting unusual directory creation activities that might be used to bypass security measures.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 7, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

letdynamicinhas_anyextendtostringsplitprojectorder by

Actions