Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Execution of File with One Character in the Name

Execution of File with One Character in the Name

Back
Id299472c4-8382-4c5b-82d9-718cda193393
RulenameExecution of File with One Character in the Name
DescriptionThis query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.).

Normally files that are executed have more characters in the name and this can indicate a malicious file.

Ref: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
TacticsExecution
TechniquesT1059
Required data connectorsSecurityEvents
KindScheduled
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml
Version1.0.0
Arm template299472c4-8382-4c5b-82d9-718cda193393.json
Deploy To Azure
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
| parse EventData with * 'CommandLine">' CommandLine "<" *
| where CommandLine matches regex @'\\[a-zA-Z0-9]\.[a-zA-Z0-9]{2,5}["]{1}'
| parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'Description">' Description "<" * 'OriginalFileName">' OriginalFileName "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'IntegrityLevel">' IntegrityLevel "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes

name: Execution of File with One Character in the Name
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
kind: Scheduled
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: User
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: Image
  entityType: File
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml
description: |
  'This query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.). 
  Normally files that are executed have more characters in the name and this can indicate a malicious file.
  Ref: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents'  
tactics:
- Execution
id: 299472c4-8382-4c5b-82d9-718cda193393
version: 1.0.0
relevantTechniques:
- T1059
query: |
  Event
  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
  | parse EventData with * 'CommandLine">' CommandLine "<" *
  | where CommandLine matches regex @'\\[a-zA-Z0-9]\.[a-zA-Z0-9]{2,5}["]{1}'
  | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'Description">' Description "<" * 'OriginalFileName">' OriginalFileName "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'IntegrityLevel">' IntegrityLevel "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/299472c4-8382-4c5b-82d9-718cda193393')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/299472c4-8382-4c5b-82d9-718cda193393')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Execution of File with One Character in the Name",
        "description": "'This query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.). \nNormally files that are executed have more characters in the name and this can indicate a malicious file.\nRef: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents'\n",
        "enabled": true,
        "query": "Event\n| where EventLog == \"Microsoft-Windows-Sysmon/Operational\" and EventID==1\n| parse EventData with * 'CommandLine\">' CommandLine \"<\" *\n| where CommandLine matches regex @'\\\\[a-zA-Z0-9]\\.[a-zA-Z0-9]{2,5}[\"]{1}'\n| parse EventData with * 'ProcessGuid\">' ProcessGuid \"<\" * 'Image\">' Image \"<\" * 'Description\">' Description \"<\" * 'OriginalFileName\">' OriginalFileName \"<\" * 'CommandLine\">' CommandLine \"<\" * 'CurrentDirectory\">' CurrentDirectory \"<\" * 'User\">' User \"<\" * 'LogonGuid\">' LogonGuid \"<\" * 'IntegrityLevel\">' IntegrityLevel \"<\" * 'Hashes\">' Hashes \"<\" * 'ParentProcessGuid\">' ParentProcessGuid \"<\" * 'ParentImage\">' ParentImage \"<\" * 'ParentCommandLine\">' ParentCommandLine \"<\" * 'ParentUser\">' ParentUser \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\n",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "alertRuleTemplateName": "299472c4-8382-4c5b-82d9-718cda193393",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "User"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "Computer"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Image"
              }
            ],
            "entityType": "File"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}