Query Details

MDE All Processes Created By Malicious File

Query

// For the best results use SHA1
let MaliciousFileSHA1 = "e14f7ed43ab3ae9d31680eb74b043339eb6f87e7"; // Random generated SHA1 hash 9d833c959de5dd22d778c697cd0de8189c238b2e
let MaliciousFileName = "maliciousfilename.exe";
let SearchWindow = 48h; //Customizable h = hours, d = days
let FileInfoLocation = materialize (
     DeviceFileEvents
     | where Timestamp > ago(SearchWindow)
     | where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) and tolower(FileName) == tolower(MaliciousFileName)))
     | summarize FileLocations = make_set(tolower(FolderPath)));
let FileInfoFileName = materialize (
     DeviceFileEvents
     | where Timestamp > ago(SearchWindow)
     | where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) and tolower(FileName) == tolower(MaliciousFileName)))
     | summarize Filenames = make_set(tolower(FileName)));
let FileInfoFileSHA1 = materialize (
     DeviceFileEvents
     | where Timestamp > ago(SearchWindow)
     | where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) and tolower(FileName) == tolower(MaliciousFileName)))
     | summarize FileInfoFileSHA1 = make_set(SHA1));
(union isfuzzy=true
     (FileInfoFileName), // Forensic information in set format available after last raw event
     (FileInfoLocation), // Forensic information in set format available after last raw event
     (FileInfoFileSHA1), // Forensic information in set format available after last raw event
     (DeviceProcessEvents
     | where tolower(InitiatingProcessCommandLine) has_any (FileInfoLocation) or InitiatingProcessSHA1 == MaliciousFileSHA1)
| sort by Timestamp
| project-reorder
     Filenames,
     FileLocations,
     FileInfoFileSHA1,
     Timestamp,
     DeviceName,
     ActionType,
     FileName,
     ProcessCommandLine,
     InitiatingProcessCommandLine
)

About this query

Explanation

This query is designed to track the activities of a potentially malicious file within a specified time frame (48 hours by default). It does this by looking for any processes that the file has created and gathering information about the file's names, locations, and SHA1 hashes. Here's a simplified breakdown of what the query does:

  1. Define Parameters:

    • A specific SHA1 hash (MaliciousFileSHA1) and file name (MaliciousFileName) are defined to identify the malicious file.
    • A time window (SearchWindow) is set to 48 hours, which can be adjusted.
  2. Collect File Information:

    • The query searches for events related to the file within the specified time window.
    • It gathers all unique file locations, file names, and SHA1 hashes associated with the file.
  3. Identify Related Processes:

    • It looks for processes that were initiated by the file, using either the file's SHA1 hash or its locations as identifiers.
  4. Combine and Present Results:

    • The query combines the collected file information and related process events.
    • It sorts the results by time and organizes the output to include details like file names, locations, SHA1 hashes, timestamps, device names, action types, and command lines.

This query is useful for forensic analysis, helping security analysts understand the behavior and impact of a suspicious file within a network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEventsDeviceProcessEvents

Keywords

DeviceFileEventsProcessCommandLineTimestampNameActionTypeFolderPathSHA1

Operators

letmaterializewhereagoisemptyandortolowersummarizemake_setunionisfuzzyhas_anysort byproject-reorder

Actions

GitHub