KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Portable Apps

Query

# Defender for Endpoint - Identify Portable Apps

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title       | Link   |
|--------------|-------------|--------------------------------------------|
| T1036        | Masquerading| https://attack.mitre.org/techniques/T1036  |

### Description

Use the below query to find portable applications across endpoints onboarded to Defender for Endpoint.

### Risk

Portable apps can be used to mimic legitimate software without installation, helping attackers evade detection.

### Author

- **Alex Verboon**

#### References

### Microsoft Defender XDR

Show Portable files

```kql
DeviceFileEvents
| where parse_json( AdditionalFields).FileType has_any ("PortableExecutable")
| extend FileExtension = parse_path(FolderPath).Extension
| where FileExtension == "exe"
| project FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, AdditionalFields
| where isnotempty( FileOriginUrl)
```

Show Portable files by download URL

```kql
DeviceFileEvents
| where parse_json( AdditionalFields).FileType has_any ("PortableExecutable")
| extend FileExtension = parse_path(FolderPath).Extension
| where FileExtension == "exe"
| project FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, AdditionalFields
| where isnotempty( FileOriginUrl)
| summarize  Files = make_set(FileName), count() by FileOriginReferrerUrl
```

Show files downloaded from [portableapps.com](https://portableapps.com/)

```kql
DeviceFileEvents
| where FileOriginReferrerUrl == "https://portableapps.com/"
```

List executed Portable Apps from User folders or other locations other than Windows / Program Files and Program Data

```kql
DeviceProcessEvents
| where AccountName <> "system"
| where FolderPath matches regex @"^[A-Z]:\\.*$" // Any drive letter
    or FolderPath startswith @"\\" // Network shares
    or FolderPath matches regex @"^C:\\Users\\[^\\]+\\Downloads\\.*$" // Include C:\Users\*\Downloads
    or FolderPath matches regex @"^C:\\Users\\[^\\]+\\Desktop\\.*$" // Include C:\Users\*\Desktop
| where not(FolderPath matches regex @"^C:\\Windows\\.*$") // Exclude C:\Windows and subfolders
| where not(FolderPath matches regex @"^C:\\Program Files( \(x86\))?\\.*$") // Exclude C:\Program Files and Program Files (x86)
| where not(FolderPath matches regex @"^C:\\ProgramData\\.*$") // Exclude C:\ProgramData
| where not(AccountSid startswith "S-1-5-18") // Exclude Local System Account
| where not(AccountSid startswith "S-1-5-20") // Exclude Network Service Account
| project TimeGenerated, FileName, FolderPath, AccountName, AccountUpn, ProcessVersionInfoProductName
```

List executed portable apps that have portable in the executable product name

```kql
DeviceProcessEvents
| project TimeGenerated, FileName, FolderPath, AccountName, AccountUpn, ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName, ProcessVersionInfoProductName
| where ProcessVersionInfoProductName has "portable"
```

Explanation

This query is designed to identify portable applications on devices that are monitored by Microsoft Defender for Endpoint. Portable applications are software programs that can run without being installed on a system, which can be used by attackers to mimic legitimate software and evade detection. Here's a breakdown of what each part of the query does:

  1. Identify Portable Executable Files: The first part of the query looks for files classified as "PortableExecutable" and have an ".exe" extension. It retrieves details like the file name, folder path, and origin URL, focusing on files that have a non-empty origin URL.

  2. Group Portable Files by Download URL: This section groups the identified portable executable files by their download referrer URL, providing a count of files and a list of file names associated with each URL.

  3. Files from PortableApps.com: This part specifically filters and shows files that were downloaded from the website "portableapps.com", a known source for portable applications.

  4. Executed Portable Apps from User Folders: It lists portable applications that have been executed from user directories or locations other than standard system directories like Windows, Program Files, or Program Data. This helps identify potentially suspicious activity where portable apps are run from non-standard locations.

  5. Executed Portable Apps with "Portable" in Product Name: Finally, it identifies executed applications that have "portable" in their product name, which can help pinpoint applications explicitly designed to be portable.

Overall, this query helps security analysts detect and investigate the use of portable applications across their network, which could indicate attempts to bypass traditional security measures.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 5, 2025

Tables

DeviceFileEventsDeviceProcessEvents

Keywords

DeviceFileEventsDeviceProcessEventsFileNameFolderPathFileOriginUrlFileOriginReferrerUrlAdditionalFieldsAccountNameAccountUpnProcessVersionInfoProductNameProcessVersionInfoInternalFileNameProcessVersionInfoOriginalFileNameTimeGeneratedAccountSid

Operators

`where``parse_json``has_any``extend``parse_path``project``isnotempty``summarize``make_set``matches regex``startswith``not``<>``==`

Actions