Query Details
Web Dav Temp Files
Query
Tags:
- attack.initial_access
- attack.execution
Query:
DeviceFileEvents
| where InitiatingProcessFileName contains "rundll32.exe" | where FolderPath contains "TfsStore" /* you could change it to InitiatingProcessVersionInfoInternalFileName contains "rundll"*/
| where FileName endswith ".vbs" or FileName endswith'.ps1' or FileName endswith '.lnk' or FileName endswith '.zip' or FileName endswith'.ico' or FileName endswith '.bat'
References:
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
Explanation
This KQL (Kusto Query Language) query is designed to identify potentially malicious file events on devices. Here's a simple summary:
- Source Table: The query looks at the
DeviceFileEventstable, which logs file-related activities on devices. - Filter Conditions:
- It checks if the initiating process (the process that started the file event) is
rundll32.exe. - It further filters events where the file path includes "TfsStore".
- It looks for files with specific extensions that are often associated with scripts or potentially harmful files:
.vbs,.ps1,.lnk,.zip,.ico, and.bat.
- It checks if the initiating process (the process that started the file event) is
In essence, the query is searching for file events initiated by rundll32.exe within the "TfsStore" directory, focusing on files that have extensions commonly used in attacks or scripting.
Details
Ali Hussein
Released: September 12, 2023
Tables
DeviceFileEvents
Keywords
Devices
Operators
containsendswithor