Query Details
Golden Chickens Terra Logger Detection
Query
// https://www.recordedfuture.com/research/terrastealerv2-and-terralogger DeviceFileEvents | where Timestamp > ago(1h) | where ActionType == "FileCreated" | where FileName endswith ".txt" | where FolderPath startswith "c:\\programdata\\" | where InitiatingProcessCommandLine has "regsvr32" and InitiatingProcessCommandLine has ".ocx"
Explanation
This query is searching for specific file creation events on devices within the last hour. It looks for text files (files ending with ".txt") that were created in the "c:\programdata" directory. Additionally, it filters these events to only include those where the process that initiated the file creation involved the use of "regsvr32" and an ".ocx" file in its command line. This could be indicative of suspicious or malicious activity, as "regsvr32" is often used in certain types of attacks.
Details
Steven Lim
Released: May 6, 2025
Tables
DeviceFileEvents
Keywords
DeviceFileEventsTimestampActionTypeFileNameFolderPathInitiatingProcessCommandLine
Operators
DeviceFileEvents|where>ago()|where==endswith|wherestartswith|wherehasandhas