Query Details

Detect Executable Files in C:\ProgramData

Executable Files Program Data Folder

Query

// The start of the folderpath in the Public directory.
let ProgramDataFolder = @'C:\ProgramData';
// List with Executable File Extensions, can be adjusted or changed.
let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc','ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta', 'js']);
// Prevalence Threshold, if the file exceeds this threshold it is likely to be benign.
let FilePrevalenceThreshold = 250;
DeviceFileEvents
| where FolderPath contains ProgramDataFolder
// Extract File Extension from the filename.
| extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName))
// Only list Files that are executable
| where FileExtension in~ (ExecutableFileExtensions)
| invoke FileProfile('SHA256', 10000)
// Filter based on FilePrevalenceThreshold
| where GlobalPrevalence <= FilePrevalenceThreshold
| project Timestamp, DeviceName, FileExtension, FolderPath, GlobalPrevalence, Signer, Publisher, ReportId, DeviceId

About this query

Explanation

This query is designed to identify unusual executable files that are created in the C:\ProgramData directory and its subdirectories. This location is not typically used for creating executable files, so any such files found there should be investigated as they might indicate malicious activity. Attackers might use this directory to hide their payloads and avoid detection.

Key Points of the Query:

  1. Target Directory: The query focuses on files within the C:\ProgramData directory (for Defender XDR) and C:\Users\Public (for Sentinel).

  2. Executable File Extensions: It looks for files with specific extensions that are considered executable, such as .exe, .bat, .cmd, etc.

  3. Prevalence Threshold (Defender XDR only): The query filters out files that are commonly found (more than 250 instances globally), as these are likely benign. This helps in focusing on rare and potentially suspicious files.

  4. File Profiling (Defender XDR only): The query uses the FileProfile function to gather additional information about the files, such as their global prevalence, which helps in assessing their rarity.

  5. Output Information: The query outputs details like the timestamp of file creation, device name, file extension, folder path, global prevalence, signer, publisher, report ID, and device ID for further investigation.

Differences Between Defender XDR and Sentinel:

  • File Profiling: The Defender XDR query uses the FileProfile function to get more detailed information about the files, which is not supported in Sentinel.
  • Directory Path: The Sentinel query checks the C:\Users\Public directory instead of C:\ProgramData.

Overall, this query is a security measure to detect potentially malicious files that might be used by attackers to remain undetected in a system.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 22, 2026

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathNameExtensionGlobalPrevalenceSignerPublisherReportIdTimestamp

Operators

letdynamiccontainsextendtostringextractin~invokewhereproject

Actions

GitHub