KQL Search

Query Details

HomeAI ToolsDevice Query

Weaponized Files Extracting DLL Files After Execution

Query

**Weaponized files extracting .DLL files after execution**

**Description:** When Weaponize files such as Word documents are opened, they can immediately extracts a disguised DLL file into the system’s temporary folder while simultaneously exploiting the Equation Editor vulnerability to execute the extracted file.The following query can help to identify when either a Word or another unusual file (I am whitelisting zip ones) extract a DLL file once is executed.

```
DeviceFileEvents
| extend FileOriginReferrerUrl_ext = extract(@"[^\\]+$", 0, FileOriginReferrerUrl)
| where isnotempty( FileOriginReferrerUrl)
| join kind=inner ( DeviceEvents) on $left.InitiatingProcessUniqueId == $right.InitiatingProcessUniqueId
| extend FilesExtension = extract(@"\.([a-zA-Z0-9]+)$", 1, FileName)
| extend OriginalFileExtension = extract(@"\.([a-zA-Z0-9]+)$", 1, FileOriginReferrerUrl_ext)
| extend Source_Type = case(FileOriginReferrerUrl startswith "http","🌎 Web","πŸ“‚ File")
| where OriginalFileExtension !in ("zip","7z") and FilesExtension endswith ".dll"
| summarize total_Files= dcount(FileName), Files_after_execution= strcat("πŸ—‚οΈ ",make_set(FileName)),make_set(FilesExtension),make_set(ActionType),make_set(FolderPath),SHA256_Group=make_set(SHA2561) by InitiatingProcessUniqueId,AccountUpn = strcat("πŸ‘©πŸ»πŸ’»πŸ§‘πŸΎπŸ’»",InitiatingProcessAccountUpn), Device = strcat("πŸ’» ",DeviceName), FileOriginReferrerUrl,Source_Type, OriginalFile=strcat("🚩 ",FileOriginReferrerUrl_ext), OriginalFileExtension, ReportId, TimeGenerated, Timestamp, DeviceId
```

Explanation

This query is designed to detect potentially malicious activity involving files that extract DLL files upon execution. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at file events on devices (DeviceFileEvents) and extends the data to include the last part of the file's origin URL, which indicates where the file came from.

  2. Filtering: It filters out events where the file origin URL is empty, meaning it only considers files that have a known source.

  3. Joining Data: It joins this data with another set of device events (DeviceEvents) based on a unique identifier for the process that initiated the file event.

  4. Extracting File Extensions: It extracts the file extensions of both the file being executed and the original file to determine their types.

  5. Source Identification: It identifies whether the file came from the web or another file source.

  6. Exclusion of Certain Files: It excludes files with certain extensions, specifically "zip" and "7z", from further analysis, focusing on files that extract DLLs.

  7. Summarization: It summarizes the data by counting distinct file names and listing them, along with their extensions, actions taken, folder paths, and SHA256 hashes. It groups this information by the process that initiated the file event, the user account, the device, and other relevant metadata.

  8. Output: The result is a detailed summary of suspicious file activities, highlighting files that might be exploiting vulnerabilities to execute DLLs, which could indicate a security threat.

In essence, this query helps identify when potentially harmful files, like Word documents, extract and execute DLL files, which could be a sign of an exploit or malware activity.

Details

Sergio Albea profile picture

Sergio Albea

Released: April 23, 2025

Tables

DeviceFileEventsDeviceEvents

Keywords

DeviceFileEventsDeviceEventsFileNameFileOriginReferrerUrlFileExtensionActionTypeFolderPathSha256ProcessUniqueIdAccountUpnDeviceNameReportIdTimeGeneratedTimestampDeviceId

Operators

extendextractwhereisnotemptyjoinoncasestartswithendswithsummarizedcountstrcatmake_setby

Actions