KQL Search

This KQL (Kusto Query Language) query is designed to monitor and detect suspicious file creation activities on a device. Here's a simple breakdown of what the query does:

1. Data Source: The query is examining data from DeviceFileEvents, which logs file-related activities on a device.

2. Filter by Action: It filters the events to only include those where a file was created (ActionType == "FileCreated").

3. Specific File Name: It further narrows down the results to only include events where the file created is named TieringEngineService.exe.

4. Location Check: It checks if the file was created in a folder path that contains \AppData\. This is suspicious because the legitimate version of this binary is expected to be in the System32 directory, not AppData.

The comments in the query provide additional context:

• The query is related to a potential exploit that uses Microsoft Defender detections to escalate privileges to the system level.
• The exploit involves creating a file with a specific name in an unusual location to trigger Defender's real-time monitoring.
• The code in the repository uses an EICAR test signature, but a real attacker could substitute this with any payload that triggers Defender.
• The exploit will not proceed if real-time monitoring by Defender is not enabled.

Overall, this query is part of a security monitoring effort to detect potentially malicious activities involving file creation in unexpected locations, which could indicate an attempt to exploit system vulnerabilities.