KQL Search

Query Details

Winrar Encryption

Query

Tags:

Query:
DeviceProcessEvents
| where ((FileName == @"rar.exe" or  ProcessVersionInfoInternalFileName == @"WinRAR" )  and ProcessCommandLine has_any ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta")) or  (FileName in("7z.exe", "7za.exe") and ProcessCommandLine has_any("-p*", "-sdel") )

References:

Explanation

The query is looking for specific processes and command line arguments in the DeviceProcessEvents table. It checks if the FileName is either "rar.exe" or "WinRAR" and if the ProcessCommandLine contains certain strings. It also checks if the FileName is either "7z.exe" or "7za.exe" and if the ProcessCommandLine contains certain other strings.

Details

Ali Hussein

Released: September 30, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents,FileName,ProcessVersionInfoInternalFileName,ProcessCommandLine

Operators

whereorand==has_anyin

KQL Search

Winrar Encryption

Query

Explanation

Details

Actions