Executable File Extentions downloaded via HTTP GET
HTTP Executable Files Downloaded
Query
let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']);
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| where HTTP_Request_Method == "GET"
| extend DownloadedContent = extract(@'.*/(.*)HTTP', 1, SignatureMatchedContent)
| extend DownloadContentFileExtention = extract(@'.*\.(.*)$', 1, DownloadedContent)
| where isnotempty(DownloadContentFileExtention) and string_size(DownloadContentFileExtention) < 8
| where DownloadContentFileExtention has_any (ExecutableFileExtentions)
| project-reorder Timestamp, DeviceName, DownloadedContent, HTTP_Request_Method, RemoteIPAbout this query
Explanation
This query is designed to identify and list files with executable extensions that have been downloaded via HTTP GET requests. Here's a simplified breakdown of what the query does:
-
Define Executable Extensions: It starts by defining a list of file extensions that are considered executable, such as
.exe,.bat,.cmd, etc. -
Filter Network Events: The query looks at network events where the action type is "NetworkSignatureInspected". This means it is inspecting network traffic for specific patterns or signatures.
-
Extract HTTP GET Requests: It further filters these events to only include those where the signature name is "HTTP_Client" and the HTTP request method is "GET". This focuses the query on HTTP GET requests, which are typically used to download files.
-
Extract Downloaded Content: The query extracts the content of the download from the network event data, specifically looking for the file name and its extension.
-
Filter Executable Files: It checks if the file extension of the downloaded content matches any of the predefined executable extensions and ensures the extension is not empty and is less than 8 characters long.
-
Project Relevant Information: Finally, it organizes the output to show the timestamp (or time generated), device name, the content that was downloaded, the HTTP request method, and the remote IP address involved in the transaction.
This query helps in identifying potentially risky downloads of executable files over the network, which could be indicative of malware or unauthorized software being downloaded.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators