KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Windows Binaries Executedfrom Non Default Directory

Query

let _ExpectedFilePaths =
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "LOLBASPath"
    | project
        ParsedProcess = tolower(Auxiliar),
        PartialPath = extract(@"([c-z]\:\\[^\\]+\\[^\\]+)", 1, tolower(SourceAddress))
;
let _LOLBAS = externaldata(
    Filename: string,
    Description: string,
    Author: string,
    Date: datetime,
    Command: string,
    CommandDescription: string,
    CommandUsecase: string,
    CommandCategory: string,
    CommandPrivileges: string,
    Technique: string,
    OperatingSystem: string,
    Paths: string,
    Detections: string,
    Resources: string,
    Acknowledgements: string,
    URL: string
    )[@"https://lolbas-project.github.io/api/lolbas.csv"] with (format="csv", ignoreFirstRecord=True)
    | project Filename, Paths
    | where Paths has @"C:\"
    | mv-expand Path = split(Paths, ", ") to typeof(string)
    | distinct
        ParsedProcess = tolower(Filename),
        PartialPath = extract(@"(c\:\\[^\\]+\\[^\\]+)", 1, tolower(Path))
;
let _LOLBASFiles = toscalar(
    _LOLBAS
    | summarize make_set(ParsedProcess)
);
SecurityEvent
| where EventID == 4688 and Process has_any (_LOLBASFiles)
| extend
    ParsedProcess = tolower(Process),
    PartialPath = extract(@"([c-z]\:\\[^\\]+\\[^\\]+)", 1, tolower(NewProcessName))
| join kind=leftanti (
    union
        (_LOLBAS
        | where isnotempty(PartialPath)
        ),
        _ExpectedFilePaths
    ) on ParsedProcess, PartialPath
| summarize
    StartTime = min(TimeGenerated),
    EndTime = max(TimeGenerated),
    Count = count(),
    take_any(AccountType, Activity, CommandLine, Process, ParentProcessName, SubjectLogonId, TokenElevationType)
    by Computer, Account, NewProcessName
| project
    StartTime,
    EndTime,
    Computer,
    Account,
    AccountType,
    Activity,
    Count,
    CommandLine,
    Process,
    NewProcessName,
    ParentProcessName,
    SubjectLogonId,
    TokenElevationType

Explanation

This query is designed to monitor for suspicious activity on a computer system. It uses a watchlist of expected significant activities and compares it to a list of known suspicious files from the LOLBAS (Living Off The Land Binaries and Scripts) project.

The query first retrieves the watchlist and filters for activities related to LOLBASPath. It then retrieves the LOLBAS data from an external CSV file, focusing on the filename and paths, and specifically looking for paths that start with "C:".

The query then checks the system's security events for any processes that match the suspicious filenames from the LOLBAS data. It excludes any processes that are on the expected file paths watchlist.

For any suspicious processes found, the query summarizes the start and end time of the activity, the number of occurrences, and other related information such as the account involved, the command line used, and the parent process name.

The result is a detailed report of potential suspicious activity on the system, which can be used for further investigation.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: May 23, 2023

Tables

_GetWatchlistSecurityEvent

Keywords

ExpectedFilePaths,LOLBASPath,Auxiliar,SourceAddress,LOLBAS,Filename,Description,Author,Date,Command,CommandDescription,CommandUsecase,CommandCategory,CommandPrivileges,Technique,OperatingSystem,Paths,Detections,Resources,Acknowledgements,URL,LOLBASFiles,SecurityEvent,EventID,Process,NewProcessName,StartTime,EndTime,Count,AccountType,Activity,CommandLine,ParentProcessName,SubjectLogonId,TokenElevationType,Computer,Account

Operators

_GetWatchlist()whereprojecttolower()extract()externaldata()withhasmv-expandsplit()to typeof()distincttoscalar()summarizemake_set()SecurityEventextendjoinkind=leftantiunionisnotempty()min()max()count()take_any()by.

Actions