KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Text And CSV Data Dumps Via Command Line

Query

**Detecting Text and CSV Data Dumps via Command Line**

This KQL Query detects when a device exports data to commonly used file formats like .csv or .txt.
This kind of behavior is often seen during the early stages of ransomware activity, where attackers collect internal information before exfiltrating it.
If you want to detect specific commands, you can use filters like:

 ➡️ | 𝘸𝘩𝘦𝘳𝘦 𝘊𝘰𝘮𝘮𝘢𝘯𝘥 𝘴𝘵𝘢𝘳𝘵𝘴𝘸𝘪𝘵𝘩 "𝘎𝘦𝘵-𝘈𝘋𝘊𝘰𝘮𝘱𝘶𝘵𝘦𝘳 -𝘍𝘪𝘭𝘵𝘦𝘳 *"

 ➡️ | 𝘸𝘩𝘦𝘳𝘦 𝘊𝘰𝘮𝘮𝘢𝘯𝘥 𝘴𝘵𝘢𝘳𝘵𝘴𝘸𝘪𝘵𝘩 "𝘎𝘦𝘵-𝘈𝘋𝘜𝘴𝘦𝘳 -𝘍𝘪𝘭𝘵𝘦𝘳 *"
```
DeviceEvents
| where isnotempty(AdditionalFields) 
| extend Command = tostring(parse_json(AdditionalFields).Command)
// search for commands exporting data into .txt or .csv format
| where Command endswith ".txt" or Command endswith ".csv"
// excluding known cases
| where Command !startswith "Start-Process"
| project Timestamp, DeviceName, ActionType, ProcessCommandLine, Command, InitiatingProcessAccountName, InitiatingProcessAccountUpn, ProcessRemoteSessionDeviceName, ReportId
```

Explanation

This KQL query is designed to detect instances where a device exports data into text (.txt) or CSV (.csv) files via command line operations. This activity can be an early indicator of ransomware attacks, as attackers often gather internal data before attempting to exfiltrate it.

Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at device events that have additional fields filled in.

  2. Extract Command: It extracts the command used in these events from the additional fields.

  3. Identify Export Commands: It specifically looks for commands that end with ".txt" or ".csv", which are common file formats for data exports.

  4. Exclude Known Processes: It excludes commands that start with "Start-Process" to filter out known, benign processes.

  5. Output: The query then outputs relevant details such as the timestamp, device name, action type, the full command line used, the command itself, the account name and UPN of the user who initiated the process, the remote session device name, and a report ID for further investigation.

This query helps in identifying suspicious data export activities that could be part of a larger malicious operation.

Details

Sergio Albea profile picture

Sergio Albea

Released: June 26, 2025

Tables

DeviceEvents

Keywords

DeviceEventsCommandProcessCommandLineTimestampDeviceNameActionTypeProcessCommandLineInitiatingProcessAccountNameInitiatingProcessAccountUpnProcessRemoteSessionDeviceNameReportId

Operators

|whereisnotemptyextendtostringparse_jsonendswithor!startswithproject

Actions