Golden Chickens Terra Logger Detection
Query
// https://www.recordedfuture.com/research/terrastealerv2-and-terralogger
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| where FileName endswith ".txt"
| where FolderPath startswith "c:\\programdata\\"
| where InitiatingProcessCommandLine has "regsvr32" and
InitiatingProcessCommandLine has ".ocx"Explanation
This query is searching for specific file creation events on devices within the last hour. It looks for text files (files ending with ".txt") that were created in the "c:\programdata" directory. Additionally, it filters these events to only include those where the process that initiated the file creation involved the use of "regsvr32" and an ".ocx" file in its command line. This could be indicative of suspicious or malicious activity, as "regsvr32" is often used in certain types of attacks.
Details

Steven Lim
Released: May 6, 2025
Tables
DeviceFileEvents
Keywords
DeviceFileEventsTimestampActionTypeNameFolderPathInitiatingProcessCommandLine
Operators
DeviceFileEvents|where>ago()==endswithstartswithhasand