Suspicious Unsigned File Executed In User Writeable Folder
Query
let WhitelistedHashesSHA256 = dynamic([
"cd91d0f5560c3911710d17b6690c7c05452b7d1a14f08668e175962d022fea7c", //ffprobe.exe
"2b3caae67f2cd1ec3d2fca81348afcdff813db41a8a0cfd5c9126505f894afb0", //Python Install Manager Installer.exe
"d83db09332f423ec35e1fbf025f4045ca0baefec26e35a7e918cd6e921d12848" //Abelssoft CheckDrive 2026
]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath has_any (@"\Users\",@"\ProgramData\")
| where InitiatingProcessSignatureStatus != "Valid"
| where SHA256 !in (WhitelistedHashesSHA256)
| invoke FileProfile(SHA256)
| where GlobalPrevalence < 2500
| where SignatureState != "SignedValid"About this query
Explanation
This query is designed to detect potentially suspicious activities on a computer system by identifying the execution of unsigned or improperly signed executable files from directories where users typically have write access, such as the \Users\ or \ProgramData\ folders. Here's a simplified breakdown of what the query does:
-
Whitelist Check: It starts by defining a list of known safe file hashes (SHA256). These are files that are considered safe and should not trigger an alert.
-
Process Creation Monitoring: The query looks for events where a new process is created.
-
Folder Path Filtering: It specifically checks if the process was started from user-writable folders like \Users\ or \ProgramData.
-
Signature Validation: It filters out processes that have a valid digital signature, focusing on those that do not.
-
Hash Check: It ensures that the file's hash is not in the predefined whitelist of safe files.
-
Global Prevalence Check: It further narrows down the results by checking if the file is not widely used globally (less than 2500 instances).
-
Signature State Check: Finally, it checks if the file's signature state is not valid.
The goal of this query is to identify potentially malicious or unauthorized software that might be running from locations where users have the ability to write files, which could bypass standard security measures. This is particularly useful for detecting malware or unauthorized software installations that do not follow the usual deployment and security protocols.
