MDE All Processes Created By Malicious File
Query
// For the best results use SHA1
let MaliciousFileSHA1 = "e14f7ed43ab3ae9d31680eb74b043339eb6f87e7"; // Random generated SHA1 hash 9d833c959de5dd22d778c697cd0de8189c238b2e
let MaliciousFileName = "maliciousfilename.exe";
let SearchWindow = 48h; //Customizable h = hours, d = days
let FileInfoLocation = materialize (
DeviceFileEvents
| where Timestamp > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) and tolower(FileName) == tolower(MaliciousFileName)))
| summarize FileLocations = make_set(tolower(FolderPath)));
let FileInfoFileName = materialize (
DeviceFileEvents
| where Timestamp > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) and tolower(FileName) == tolower(MaliciousFileName)))
| summarize Filenames = make_set(tolower(FileName)));
let FileInfoFileSHA1 = materialize (
DeviceFileEvents
| where Timestamp > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) and tolower(FileName) == tolower(MaliciousFileName)))
| summarize FileInfoFileSHA1 = make_set(SHA1));
(union isfuzzy=true
(FileInfoFileName), // Forensic information in set format available after last raw event
(FileInfoLocation), // Forensic information in set format available after last raw event
(FileInfoFileSHA1), // Forensic information in set format available after last raw event
(DeviceProcessEvents
| where tolower(InitiatingProcessCommandLine) has_any (FileInfoLocation) or InitiatingProcessSHA1 == MaliciousFileSHA1)
| sort by Timestamp
| project-reorder
Filenames,
FileLocations,
FileInfoFileSHA1,
Timestamp,
DeviceName,
ActionType,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine
)About this query
Explanation
This query is designed to track the activities of a potentially malicious file within a specified time frame (48 hours by default). It does this by looking for any processes that the file has created and gathering information about the file's names, locations, and SHA1 hashes. Here's a simplified breakdown of what the query does:
-
Define Parameters:
- A specific SHA1 hash (
MaliciousFileSHA1) and file name (MaliciousFileName) are defined to identify the malicious file. - A time window (
SearchWindow) is set to 48 hours, which can be adjusted.
- A specific SHA1 hash (
-
Collect File Information:
- The query searches for events related to the file within the specified time window.
- It gathers all unique file locations, file names, and SHA1 hashes associated with the file.
-
Identify Related Processes:
- It looks for processes that were initiated by the file, using either the file's SHA1 hash or its locations as identifiers.
-
Combine and Present Results:
- The query combines the collected file information and related process events.
- It sorts the results by time and organizes the output to include details like file names, locations, SHA1 hashes, timestamps, device names, action types, and command lines.
This query is useful for forensic analysis, helping security analysts understand the behavior and impact of a suspicious file within a network.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceFileEventsDeviceProcessEvents
Keywords
DeviceFileEventsProcessCommandLineTimestampNameActionTypeFolderPathSHA1
Operators
letmaterializewhereagoisemptyandortolowersummarizemake_setunionisfuzzyhas_anysort byproject-reorder