Query Details

Rule : Detection of Unsigned Executable Launches from User Directories

Unsgined Executionsfromuserdirectories

Query

DeviceProcessEvents
| where FolderPath has_any ("\\Users\\", "\\Downloads\\", "\\AppData\\", "\\Temp\\")
| where InitiatingProcessSignatureStatus in ("Unknown", "Unsigned", "Invalid")
| where FileName endswith ".exe"
| where ProcessVersionInfoCompanyName != "Telegram FZ-LLC"
| where ProcessVersionInfoProductName != "Zoom"
| where InitiatingProcessVersionInfoFileDescription != "Google Chrome"
| where InitiatingProcessFileName in~ ("explorer.exe", "chrome.exe", "msedge.exe")

About this query

Explanation

This query is designed to detect potentially malicious activity on a Windows system by identifying when unsigned or suspiciously signed executable files are launched from common user directories. Here's a simplified breakdown:

  1. Purpose: The query aims to catch instances where potentially harmful executable files are run from user directories, which is a common tactic used by attackers to trick users into executing malicious software.

  2. Monitored Directories: It focuses on files located in directories typically used by users, such as:

    • \Users\
    • \Downloads\
    • \AppData\
    • \Temp\
  3. Signature Status: It looks for executables with a signature status of:

    • Unknown
    • Unsigned
    • Invalid
  4. File Type: The query specifically targets files with the .exe extension, which are executable files.

  5. Exclusions: To reduce false positives, it excludes processes associated with known legitimate software, such as:

    • Telegram
    • Zoom
  6. Initiating Processes: It checks if the executables were launched by common user-facing applications like:

    • Windows Explorer (explorer.exe)
    • Google Chrome (chrome.exe)
    • Microsoft Edge (msedge.exe)
  7. Tags: The query is tagged with terms related to security threats, such as unsigned executables, malware delivery, and fake installer detection.

  8. Actionable Insight: By monitoring these parameters, security teams can detect and respond to potential threats early, such as those involving fake installers that lead to malware or ransomware infections.

Overall, this query helps in identifying suspicious activities that could indicate an initial access attempt by attackers through deceptive means.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 9, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsUserDirectoryExecutionMalwareDeliveryWindowsSecurity

Operators

has_anyinendswith!=in~

Actions

GitHub