Executable Files Public Folder

# Detect Executable Files in C:\Users\Public* ## Query Information #### Description This query detects rare Executable files that are created in the folder C:\Users\Public and all the subfolders. It is not common that executable files are created in this folder and therefore the file creations should be investigated. An attacker can use those folders to Note: The query for Sentinel is different then the one for MDE, this is because the FileProfile function is used, which is currently not supported by Sentinel. Therefore I suggest running this query in MDE for the best results. #### Risk An adversary creates payloads in the C:\Users\Public to stay undetected. #### References - https://twitter.com/malmoeb/status/1617052464288763910?s=46&t=5G3qrkaBu_D5VVZcFEwgdg - https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia - https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-203a - https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/107826/ ## Defender XDR ```KQL // The start of the folderpath in the Public directory. let PublicFolder = @'C:\Users\Public'; // List with Executable File Extensions, can be adjusted or changed. let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc','ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta', 'js']); // Prevalence Threshold, if the file exceeds this threshold it is likely to be benign. let FilePrevalenceThreshold = 250; DeviceFileEvents | where FolderPath contains PublicFolder // Extract File Extension from the filename. | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) // Only list Files that are executable | where FileExtension in~ (ExecutableFileExtensions) | invoke FileProfile('SHA256', 10000) // Filter based on FilePrevalenceThreshold | where GlobalPrevalence <= FilePrevalenceThreshold | project Timestamp, DeviceName, FileExtension, FolderPath, GlobalPrevalence, Signer, Publisher, ReportId, DeviceId ``` ## Sentinel ```KQL // The start of the folderpath in the Public directory. let PublicFolder = @'C:\Users\Public'; // List with Executable File Extensions, can be adjusted or changed. let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta']); DeviceFileEvents | where FolderPath contains PublicFolder // Extract File Extension from the filename. | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) // Only list Files that are executable | where FileExtension in~ (ExecutableFileExtensions) ```

Explanation

This query is designed to identify unusual executable files that are created in the C:\Users\Public directory and its subdirectories. This location is not typically used for storing executable files, so any files found here should be investigated as they might indicate malicious activity.

Key Points:

Purpose: To detect potentially malicious executable files in a common public directory on Windows systems.
Risk: Attackers might use this directory to hide their payloads and avoid detection.
Approach:
- The query checks for files with specific executable extensions (like .exe, .bat, .cmd, etc.).
- It filters out files that are commonly found (based on a prevalence threshold) to focus on rare and potentially suspicious files.
- The query is tailored for use with Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel, with slight differences due to feature support.

Differences in Queries:

Defender XDR: Uses the FileProfile function to assess the global prevalence of files, filtering out those that are common (prevalence above 250).
Sentinel: Does not use the FileProfile function, so it lists all executable files found in the directory without filtering by prevalence.

Actionable Steps:

Investigate any rare executable files found in C:\Users\Public to determine if they are legitimate or part of a malicious activity.
Adjust the list of executable file extensions if needed to include other potentially suspicious file types.
Use the Defender XDR query for more comprehensive results due to its ability to filter based on file prevalence.

KQL Search