KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Suspicious Files Dropped Into Public Folder

Query

**Detect suspicious files dropped into Public Folder**

One of the key behaviors often observed during ransomware attacks includes dropping ransom notes in the C:\Users\Public folder. These actions are designed to ensure that all users on the infected machine are made aware of the compromise.
Fortunately, if your environment monitors for file creation events in these paths, you may be able to detect such activities promptly. This can enable quick response actions—such as alerting, isolating the device (using Detection Rules Actions), or initiating automated investigation. 
I recommend you to execute this KQL query to see if you have some false positive to whitelist them as I have with .lnk files ( basically browser shortcuts)
```
DeviceEvents
| where FolderPath contains "Users\\Public" and FileName !endswith ".lnk"
| distinct DeviceName, ActionType, FileName, FolderPath 
```

Explanation

This KQL query is designed to detect potentially suspicious files that are created in the "C:\Users\Public" folder on a device. The query specifically looks for files that are not shortcut files (i.e., files that do not end with the ".lnk" extension). Here's a simple breakdown of what the query does:

  1. Data Source: It searches through DeviceEvents, which is a log of events related to devices.

  2. Filter Criteria:

    • It checks for events where the file path includes "Users\Public", indicating that the file is located in the public folder.
    • It excludes files that have a ".lnk" extension, which are typically shortcut files and are considered less suspicious.

  3. Output:

    • The query returns a distinct list of devices and file details, including the device name, type of action performed, file name, and folder path.

This query helps in identifying unusual files that might have been placed in the public folder, which is a common tactic used in ransomware attacks to ensure visibility of ransom notes to all users. By running this query, you can quickly spot potentially malicious files and take necessary actions, such as alerting security teams or isolating the affected device. Additionally, it allows for the identification of false positives, such as legitimate files that might need to be whitelisted.

Details

Sergio Albea profile picture

Sergio Albea

Released: May 28, 2025

Tables

DeviceEvents

Keywords

DeviceEventsDeviceNameActionTypeFileNameFolderPath

Operators

contains!endswithdistinctwhere

Actions