KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Shebang Code Inside Files With Unusual Extensions

Query

**Detect Shebang code inside files with unusual extensions**

**Description:** Shebangs (#!) are native to Unix-like operating systems (macOS and Linux). Standard Windows consoles (Command Prompt and PowerShell) do not natively use them. However, they do work on Windows when using tools such as the Python Launcher, Git Bash, Cygwin, or Unix-like environments such as WSL. In simple terms, a Shebang tells the operating system which interpreter should execute a script. For example: #!/usr/bin/python3

Distinct scripts can not look dangerous based on their extension, but they are still executable files. In environments with macOS, Linux, WSL, Git Bash or Python Launcher, this can help to identify scripts renamed to hide their real purpose.

```
DeviceFileEvents
| extend AF=parse_json(AdditionalFields) | where tostring(AF.FileType) == "Shebang" 
| where FileName has_any (".txt", ".log", ".dat", ".tmp", ".conf", ".jpg", ".png", ".pdf") 
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
```

Explanation

This query is designed to detect files that contain a "shebang" (#!) at the beginning, which indicates that the file is a script intended to be executed by a specific interpreter. The query specifically looks for these shebang scripts within files that have extensions typically not associated with executable scripts, such as .txt, .log, .dat, .tmp, .conf, .jpg, .png, and .pdf. These extensions are usually associated with text, data, or image files, not scripts.

Here's a simple breakdown of what the query does:

  1. Source of Data: It examines events related to files on devices, specifically looking at the DeviceFileEvents table.

  2. Shebang Detection: It filters for files that have been identified as containing a shebang line by checking the FileType field in the AdditionalFields JSON.

  3. Unusual Extensions: It further filters these files to only include those with extensions that are not typically associated with scripts or executable files.

  4. Output: The query then selects and displays specific information about these files, such as the time of the event, the device name, the type of action performed, the file name, the folder path, the file's SHA256 hash, and details about the process that initiated the file event.

The purpose of this query is to help identify potentially suspicious scripts that may have been disguised with non-executable file extensions, which could be an indicator of malicious activity or an attempt to hide the script's true purpose.

Details

Sergio Albea profile picture

Sergio Albea

Released: June 11, 2026

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

DeviceFileEventsextendparse_jsonwheretostringhas_anyproject

Actions