KQL Search

Query Details

HomeAI ToolsDevice Query

Legit Installer Mismatch

Query

// ─────────────────────────────────────────────────────────────────────────────
// Hunt: Masqueraded Installer Detection (MITRE ATT&CK T1036.005)
//
// Catch files with a legitimate installer FILENAME but a DIFFERENT SHA256
// than the known-good hash captured directly from each vendor's official
// download URL.
//
// Hash baseline: see Allowlist-LegitInstallers/legit-installers.csv
// Updated: 2026-06-06T17:30:00Z (regenerate periodically — vendor releases drift)
//
// Tables: DeviceFileEvents (Microsoft Defender for Endpoint advanced hunting)
// Adapt to your platform: in Sentinel use DeviceFileEvents from the M365D
// connector; in Splunk substitute the equivalent file-creation event source.
// ─────────────────────────────────────────────────────────────────────────────

let LookbackDays = 7d;

let LegitInstallers = datatable(FileName:string, SHA256:string, App:string)
[
    "googlechrome.dmg",         "a554745b5c860b1528eb85695269b310549e758657905da5d20448a20d87904c", "Google Chrome",
    "ChatGPT.dmg",              "bd9722304ae73d0bfb90ac21768b56a0030362bd3e6b7669f45ced76f09eed41", "ChatGPT Desktop",
    "Cursor-darwin-arm64.dmg",  "4f12e91c67381fe5b69cd6388334bccf8402ba0da551982663ebfbe8ef2057eb", "Cursor",
    "VSCode-darwin-arm64.zip",  "cd8bed045a00acd427dc07c02dfe2bc59523bfe5fd205fa0a2ce2d67b200f09d", "Visual Studio Code",
    "Notion-universal.dmg",     "616e88cb385950bf5df1c81d44384f9714fafd9da24222a91a2511354b88952d", "Notion",
    "Slack-arm64.dmg",          "0c7e302a1822ee4d22bc4966d93ac794820557782308b825f92e08fba3db9d74", "Slack",
    "Zoom-arm64.pkg",           "0abc1e5693297827802d8ac3239dd974767828e3c8abbfc0c24bd6c148b96bdd", "Zoom",
    "anydesk.dmg",              "2c96df77040a19429b75b5add9de6c769025a48f3bcfcfe5c858f6cfb9c8a205", "AnyDesk",
    "ghidra_12.1.2_PUBLIC.zip", "55f4b89f988bb83c5090860073934653f67fbc5f2b26cad527210c71636eac46", "Ghidra"
];

// One row per watched filename: the app name + set of all known-good hashes
// for that name (handles future expansion to arch/version variants).
let WatchedByName = LegitInstallers
    | summarize KnownHashes = make_set(SHA256), App = any(App) by FileName;

DeviceFileEvents
| where Timestamp > ago(LookbackDays)
| join kind=inner WatchedByName on FileName
| where SHA256 !in (KnownHashes)
| project
    Timestamp,
    DeviceName,
    FileName,
    SHA256,
    SuspectedApp = App,
    FolderPath,
    ActionType,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    FileOriginUrl,
    FileOriginReferrerUrl
| order by Timestamp desc

Explanation

This query is designed to detect potentially malicious files that are masquerading as legitimate installers. It works by comparing the SHA256 hash of files with known installer filenames against a list of known-good hashes. If a file has the same name as a legitimate installer but a different hash, it is flagged for further investigation.

Here's a simple breakdown of what the query does:

  1. Define a Time Frame: It looks back over the past 7 days for relevant file events.

  2. Create a List of Legitimate Installers: It sets up a table with known legitimate installer filenames and their corresponding SHA256 hashes. This list acts as a baseline for comparison.

  3. Summarize Known Hashes: For each installer filename, it gathers all known-good hashes and associates them with the corresponding application name.

  4. Filter Recent File Events: It examines recent file events from the DeviceFileEvents table, focusing on files that match the names of legitimate installers.

  5. Identify Suspicious Files: It checks if the SHA256 hash of these files is not in the list of known-good hashes. If a file's hash doesn't match any known-good hash for its filename, it's considered suspicious.

  6. Output Details: For each suspicious file, it outputs details such as the timestamp, device name, filename, hash, suspected application, file path, action type, and information about the process that initiated the file creation.

  7. Order Results: Finally, it sorts the results by timestamp in descending order, showing the most recent events first.

This query helps in identifying files that might be maliciously using the names of trusted installers to avoid detection.

Details

Sergio Albea profile picture

Sergio Albea

Released: June 6, 2026

Tables

DeviceFileEvents

Keywords

DeviceFileEventsMicrosoftDefenderForEndpointM365D

Operators

letdatatablesummarizemake_setany|where>agojoinkind=inneron!inprojectorder bydesc

Actions