KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Malware In Recyclebin

Query

let recycle_bin_paths = dynamic([@":\RECYCLER", @":\$RECYCLE.BIN"]);
let lolbas_filenames = toscalar(
    externaldata(
        Filename:string//,
        // Description:string,
        // Author:string,
        // Date:datetime,
        // Command:string,
        // CommandDescription:string,
        // CommandUsecase:string,
        // CommandCategory:string,
        // CommandPrivileges:string,
        // Technique:string,
        // OperatingSystem:string,
        // Paths:string,
        // Detections:string,
        // Resources:string,
        // Acknowledgements:string,
        // URL:string
    ) [@"https://lolbas-project.github.io/api/lolbas.csv"] with (format="csv", ignoreFirstRecord=True)
    | summarize make_set(Filename)
);
union
    (SecurityEvent
    | where EventID == 4688
    | where (CommandLine has_any (recycle_bin_paths) and CommandLine has_any (lolbas_filenames))
        or  (NewProcessName has_any (recycle_bin_paths) and Process has_any (lolbas_filenames))
    | project TimeGenerated, Computer, Account, AccountType, SubjectLogonId, TargetAccount, Activity, ParentProcessName, NewProcessName, CommandLine
    ),
    (SecurityEvent
    | where EventID == 4663
    | where ObjectName has_any (recycle_bin_paths) and ObjectName has_any (lolbas_filenames)
    | project TimeGenerated, Computer, Account, AccountType, SubjectLogonId, TargetAccount, Activity, ObjectType, ObjectName, EventData
    )

Explanation

This query is designed to detect potentially malicious activity by looking for specific events in the security logs.

Firstly, it defines two sets of data: 'recycle_bin_paths' and 'lolbas_filenames'. 'recycle_bin_paths' contains paths to the recycle bin, while 'lolbas_filenames' is a list of filenames fetched from an external CSV file hosted on the LOLBAS (Living Off The Land Binaries and Scripts) project's GitHub page.

The query then looks for two types of security events: EventID 4688 and EventID 4663.

For EventID 4688, it checks if the command line or new process name contains any of the recycle bin paths and filenames from the LOLBAS project. If it does, it projects (or selects) various details about the event such as the time it was generated, the computer where it occurred, the account involved, and details about the process.

For EventID 4663, it checks if the object name contains any of the recycle bin paths and filenames from the LOLBAS project. If it does, it projects similar details as above, along with the object type and event data.

In simple terms, this query is looking for instances where potentially harmful files (as identified by the LOLBAS project) are being used in certain ways (like being moved to the recycle bin) on the system.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 10, 2023

Tables

SecurityEvent

Keywords

SecurityEvent,EventID,CommandLine,RecycleBin,LolbasFilenames,NewProcessName,Process,TimeGenerated,Computer,Account,AccountType,SubjectLogonId,TargetAccount,Activity,ParentProcessName,ObjectName,ObjectType,EventData

Operators

letdynamictoscalarexternaldatasummarizemake_setunionSecurityEventwherehas_anyorproject

Actions