KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Waffles Exploits Shellcode In Image Files

Query

// Detecting WafflesExploits Shellcode in Image Files
// https://wafflesexploits.github.io/posts/Hide_a_Payload_in_Plain_Sight_Embedding_Shellcode_in_a_Image_file/

let ImageExtension = dynamic([".apng", ".png", ".avif", ".gif", ".jpg", ".jpeg", ".jfif", ".pjpeg", ".pjp", ".png", ".svg", ".webp", ".bmp", ".tif", ".tiff"]);
let CPPId = dynamic(["Microsoft Visual C++"]);
let WhiteListedFileName = dynamic(["logo.png","vcredist.bmp","watermark.bmp","header.bmp","SplashScreen.bmp"]);
DeviceFileEvents
| where InitiatingProcessVersionInfoFileDescription has_any(CPPId)
| where ActionType == @"FileCreated"
| where FileName has_any(ImageExtension)
| where not(FileName has_any(WhiteListedFileName))

Explanation

This query is designed to detect suspicious activity related to the creation of image files that might contain hidden malicious code, specifically shellcode, as described in the WafflesExploits technique. Here's a simple breakdown of what the query does:

  1. Image File Extensions: It defines a list of common image file extensions, such as .png, .jpg, .gif, etc.

  2. C++ Identifiers: It specifies that the initiating process should be related to "Microsoft Visual C++", which might indicate a development or compilation process.

  3. Whitelisted File Names: It lists certain image file names that are considered safe or expected, such as "logo.png" or "vcredist.bmp".

  4. Device File Events: The query looks at events where files are created on a device.

  5. Filter Conditions:

    • It checks if the file creation event was initiated by a process related to Microsoft Visual C++.
    • It ensures the action type is "FileCreated", meaning a new file was created.
    • It filters for files with the specified image extensions.
    • It excludes files that match any of the whitelisted file names.

In summary, this query identifies newly created image files that are not on a safe list and are created by processes associated with Microsoft Visual C++, potentially indicating an attempt to hide malicious code within an image file.

Details

Steven Lim profile picture

Steven Lim

Released: February 16, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

letdynamichas_anywhere==not

Actions