KQL Search

Query Details

HomeAI ToolsDevice Query

Exif Smuggling File Fix Detection

Query

# *Exif smuggling FileFix Detection*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059.001 | Powershell | https://attack.mitre.org/techniques/T1562/001/ |
| T1027.010 | Command Obfuscation | https://attack.mitre.org/techniques/T1027/010/ |

#### Description
Detection based on: https://malwaretech.com/2025/10/exif-smuggling.html

This rule detects suspicious PowerShell execution patterns that might indicate an 'Exif smuggling FileFix Technique' or similar obfuscated command execution. It specifically looks for 'conhost.exe' launching PowerShell ('powershell.exe', 'pwsh.exe', 'pwsh.dll') with an encoded command ('-e' or '-EncodedCommand'), containing more than 5 spaces, and including a UNC path. This combination of indicators suggests an attempt to execute obfuscated PowerShell code, potentially from a remote source.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://malwaretech.com/2025/10/exif-smuggling.html

## Defender XDR
```KQL
//Exif smuggling FileFix Technique
DeviceProcessEvents
| where ProcessCommandLine startswith "conhost.exe --headless"
| where ProcessCommandLine has_any ("powerhshell.exe", "pwsh.exe", "pwsh.dll")
//Checks for Encoded Command
| where ProcessCommandLine has "-e" or ProcessCommandLine has "-EncodedCommand"
//Checks if more than 5 Spaces are in the Command 
| where ProcessCommandLine matches regex " {5,}"
//Checks if a UNC Path is in the Comand
| where ProcessCommandLine matches regex @"\\\\([a-zA-Z0-9\-\.]+)\\[a-zA-Z0-9\-\.$_]+"
```

Explanation

This query is designed to detect potentially malicious PowerShell activity that might indicate an "Exif smuggling FileFix Technique" or similar obfuscated command execution. Here's a breakdown of what the query does in simple terms:

  1. Target Process: It looks for instances where the process conhost.exe is running in a headless mode and is launching PowerShell-related processes (powershell.exe, pwsh.exe, or pwsh.dll).

  2. Encoded Commands: It checks if these PowerShell commands include encoded commands, which are typically indicated by the flags -e or -EncodedCommand. This is a common technique used to obfuscate the true nature of the command being executed.

  3. Whitespace Check: The query looks for commands that contain more than five spaces. This can be a sign of obfuscation, where extra spaces are used to make the command harder to read or analyze.

  4. UNC Path Detection: It searches for the presence of a UNC (Universal Naming Convention) path in the command. A UNC path is a way to access network resources, and its presence might indicate that the command is trying to execute something from a remote source.

Overall, this query is designed to identify suspicious PowerShell activity that uses obfuscation techniques and potentially accesses remote resources, which could be indicative of a security threat.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 27, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessCommandLinePowerShellUNCPathRegex

Operators

startswithhas_anyhasormatches regex

Actions