KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Loaded Files

Query

# Files Loaded by Suspicious Executable

## Query Information

#### Description
This query is designed to list the files that have been loaded by a suspicious executable. Often malware loads dlls to properly function, these dlls can be identified by giving the SHA1 hash of the malicious executable as *InputSHA1*.

#### Risk
A malicious image is loaded into an executable and performs activities.

## Defender XDR
```KQL
let InputSHA1 = "035833d4d9673fd767b3a73e5943abe0cb88b122";
let LoadedFiles = DeviceImageLoadEvents
| where InitiatingProcessSHA1 =~ InputSHA1
| summarize LoadedFiles = make_set(SHA1);
union DeviceNetworkEvents, DeviceProcessEvents, DeviceEvents
| where InitiatingProcessSHA1 in~ (InputSHA1)
```

## Sentinel
```KQL
let InputSHA1 = "035833d4d9673fd767b3a73e5943abe0cb88b122";
let LoadedFiles = DeviceImageLoadEvents
| where InitiatingProcessSHA1 =~ InputSHA1
| summarize LoadedFiles = make_set(SHA1);
union DeviceNetworkEvents, DeviceProcessEvents, DeviceEvents
| where InitiatingProcessSHA1 in~ (InputSHA1)
```

Explanation

This query is designed to identify and list files that have been loaded by a potentially malicious executable. Here's a simple breakdown of what the query does:

  1. InputSHA1: The query starts by defining a specific SHA1 hash (035833d4d9673fd767b3a73e5943abe0cb88b122) which represents the suspicious executable you are investigating.

  2. Loaded Files Identification: It looks into DeviceImageLoadEvents to find all files (like DLLs) that have been loaded by processes initiated by the executable with the given SHA1 hash. It collects these file hashes into a set called LoadedFiles.

  3. Event Union: The query then combines data from three different event tables: DeviceNetworkEvents, DeviceProcessEvents, and DeviceEvents. It filters these events to include only those initiated by the same suspicious executable.

Overall, the query helps in tracking the activities of a suspicious executable by listing the files it loads and examining related network, process, and other device events. This can be useful for identifying potential malicious behavior and understanding the impact of the executable on the system.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 30, 2025

Tables

DeviceImageLoadEventsDeviceNetworkEventsDeviceProcessEventsDeviceEvents

Keywords

FilesDevicesExecutableMalwareDllsSha1ImageNetworkProcessEventsActivities

Operators

let=~summarizemake_setunionin~

Actions