Executable Files Program Data Folder

# Detect Executable Files in C:\ProgramData ## Query Information #### Description This query detects rare Executable files that are created in the folder C:\ProgramData\* and all the subfolders. It is not common that executable files are created in this folder and therefore the file creations should be investigated. An attacker can use those folders to Note: The query for Sentinel is different then the one for MDE, this is because the FileProfile function is used, which is currently not supported by Sentinel. Therefore I suggest running this query in MDE for the best results. #### Risk An adversary creates payloads in the C:\ProgramData\* to stay undetected. #### References - https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ - https://logpoint.com/en/blog/inside-darkgate ## Defender XDR ```KQL // The start of the folderpath in the Public directory. let ProgramDataFolder = @'C:\ProgramData'; // List with Executable File Extensions, can be adjusted or changed. let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc','ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta']); // Prevalence Threshold, if the file exceeds this threshold it is likely to be benign. let FilePrevalenceThreshold = 250; DeviceFileEvents | where FolderPath contains ProgramDataFolder // Extract File Extension from the filename. | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) // Only list Files that are executable | where FileExtension in~ (ExecutableFileExtensions) | invoke FileProfile('SHA256', 10000) // Filter based on FilePrevalenceThreshold | where GlobalPrevalence <= FilePrevalenceThreshold | project Timestamp, DeviceName, FileExtension, FolderPath, GlobalPrevalence, Signer, Publisher, ReportId, DeviceId ``` ## Sentinel ```KQL // The start of the folderpath in the Public directory. let ProgramDataFolder = @'C:\Users\Public'; // List with Executable File Extensions, can be adjusted or changed. let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta']); DeviceFileEvents | where FolderPath contains ProgramDataFolder // Extract File Extension from the filename. | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) // Only list Files that are executable | where FileExtension in~ (ExecutableFileExtensions) ```

Explanation

This query is designed to identify unusual executable files that are created in the C:\ProgramData directory and its subdirectories. This location is not typically used for storing executable files, so any files found here should be investigated as they might indicate malicious activity. Attackers might use this directory to hide their payloads and avoid detection.

Key Points of the Query:

Target Directory: The query focuses on files within the C:\ProgramData directory for Defender XDR and C:\Users\Public for Sentinel.
Executable File Extensions: It looks for files with specific extensions that are commonly associated with executable files, such as .exe, .bat, .cmd, and others.
File Prevalence: For Defender XDR, the query uses a threshold to filter out files that are commonly found (more than 250 instances globally), as these are likely benign. This step is not included in the Sentinel query due to differences in functionality.
File Profile: In Defender XDR, the query uses the FileProfile function to gather additional information about the file, such as its SHA256 hash and prevalence.
Output: The query returns details like the timestamp of file creation, device name, file extension, folder path, global prevalence, signer, publisher, report ID, and device ID for further investigation.

Risk and References:

Risk: The presence of executable files in these directories could indicate that an adversary is trying to remain undetected by placing malicious files in less monitored locations.
References: The query references articles discussing malware that uses similar tactics to evade detection.

Overall, this query helps security teams identify potentially malicious files that could be part of an attacker's strategy to compromise a system.

KQL Search