Executable Files Program Data Folder

# Detect Executable Files in C:\ProgramData ## Query Information #### Description This query detects rare Executable files that are created in the folder C:\ProgramData\* and all the subfolders. It is not common that executable files are created in this folder and therefore the file creations should be investigated. An attacker can use those folders to Note: The query for Sentinel is different then the one for MDE, this is because the FileProfile function is used, which is currently not supported by Sentinel. Therefore I suggest running this query in MDE for the best results. #### Risk An adversary creates payloads in the C:\ProgramData\* to stay undetected. #### References - https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ - https://logpoint.com/en/blog/inside-darkgate ## Defender XDR ```KQL // The start of the folderpath in the Public directory. let ProgramDataFolder = @'C:\ProgramData'; // List with Executable File Extensions, can be adjusted or changed. let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc','ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta', 'js']); // Prevalence Threshold, if the file exceeds this threshold it is likely to be benign. let FilePrevalenceThreshold = 250; DeviceFileEvents | where FolderPath contains ProgramDataFolder // Extract File Extension from the filename. | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) // Only list Files that are executable | where FileExtension in~ (ExecutableFileExtensions) | invoke FileProfile('SHA256', 10000) // Filter based on FilePrevalenceThreshold | where GlobalPrevalence <= FilePrevalenceThreshold | project Timestamp, DeviceName, FileExtension, FolderPath, GlobalPrevalence, Signer, Publisher, ReportId, DeviceId ``` ## Sentinel ```KQL // The start of the folderpath in the Public directory. let ProgramDataFolder = @'C:\Users\Public'; // List with Executable File Extensions, can be adjusted or changed. let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta']); DeviceFileEvents | where FolderPath contains ProgramDataFolder // Extract File Extension from the filename. | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) // Only list Files that are executable | where FileExtension in~ (ExecutableFileExtensions) ```

Explanation

This query is designed to identify unusual executable files that are created in the C:\ProgramData directory and its subdirectories. This location is not typically used for creating executable files, so any such files found there should be investigated as they might indicate malicious activity. Attackers might use this directory to hide their payloads and avoid detection.

Key Points of the Query:

Target Directory: The query focuses on files within the C:\ProgramData directory (for Defender XDR) and C:\Users\Public (for Sentinel).
Executable File Extensions: It looks for files with specific extensions that are considered executable, such as .exe, .bat, .cmd, etc.
Prevalence Threshold (Defender XDR only): The query filters out files that are commonly found (more than 250 instances globally), as these are likely benign. This helps in focusing on rare and potentially suspicious files.
File Profiling (Defender XDR only): The query uses the FileProfile function to gather additional information about the files, such as their global prevalence, which helps in assessing their rarity.
Output Information: The query outputs details like the timestamp of file creation, device name, file extension, folder path, global prevalence, signer, publisher, report ID, and device ID for further investigation.

Differences Between Defender XDR and Sentinel:

File Profiling: The Defender XDR query uses the FileProfile function to get more detailed information about the files, which is not supported in Sentinel.
Directory Path: The Sentinel query checks the C:\Users\Public directory instead of C:\ProgramData.

Overall, this query is a security measure to detect potentially malicious files that might be used by attackers to remain undetected in a system.

KQL Search