Exes with double file extension and access summary
| Id | d12580c2-1474-4125-a8a3-553f50d91215 |
| Rulename | Exes with double file extension and access summary |
| Description | Provides a summary of executable files with double file extensions in SharePoint and the users and IP addresses that have accessed them. |
| Tactics | DefenseEvasion |
| Techniques | T1036 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/double_file_ext_exes.yaml |
| Version | 2.0.1 |
| Arm template | d12580c2-1474-4125-a8a3-553f50d91215.json |
let known_ext = dynamic(["lnk", "log", "option", "config", "manifest", "partial"]);
let excluded_users = dynamic(["app@sharepoint"]);
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation" and isnotempty(ObjectId)
| where ObjectId has ".exe."
and not(ObjectId endswith ".lnk")
and not(ObjectId endswith ".log")
and not(ObjectId endswith ".option")
and not(ObjectId endswith ".config")
and not(ObjectId endswith ".manifest")
and not(ObjectId endswith ".partial")
| extend Extension = extract("[^.]*\\.[^.]*$", 0, ObjectId)
| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| join kind=leftouter (
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation" and (Operation == "FileDownloaded" or Operation == "FileAccessed")
| where not(ObjectId endswith ".lnk")
and not(ObjectId endswith ".log")
and not(ObjectId endswith ".option")
and not(ObjectId endswith ".config")
and not(ObjectId endswith ".manifest")
and not(ObjectId endswith ".partial")
) on ObjectId
| where UserId1 !in (excluded_users)
| extend userBag = bag_pack("UserId", UserId1, "ClientIp", ClientIp1)
| summarize make_set(UserId1, 10000), userBag = make_bag(userBag), UploadTime = max(TimeGenerated) by UserId, ObjectId, SourceFileName, Extension
| extend NumberOfUsers = array_length(bag_keys(userBag))
| project UploadTime, Uploader = UserId, FileLocation = ObjectId, FileName = SourceFileName, AccessedBy = userBag, Extension, NumberOfUsers
| extend UploaderName = tostring(split(Uploader, "@")[0]), UploaderUPNSuffix = tostring(split(Uploader, "@")[1])
version: 2.0.1
entityMappings:
- fieldMappings:
- identifier: Name
columnName: UploaderName
- identifier: UPNSuffix
columnName: UploaderUPNSuffix
entityType: Account
kind: Scheduled
relevantTechniques:
- T1036
tactics:
- DefenseEvasion
query: |
let known_ext = dynamic(["lnk", "log", "option", "config", "manifest", "partial"]);
let excluded_users = dynamic(["app@sharepoint"]);
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation" and isnotempty(ObjectId)
| where ObjectId has ".exe."
and not(ObjectId endswith ".lnk")
and not(ObjectId endswith ".log")
and not(ObjectId endswith ".option")
and not(ObjectId endswith ".config")
and not(ObjectId endswith ".manifest")
and not(ObjectId endswith ".partial")
| extend Extension = extract("[^.]*\\.[^.]*$", 0, ObjectId)
| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| join kind=leftouter (
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation" and (Operation == "FileDownloaded" or Operation == "FileAccessed")
| where not(ObjectId endswith ".lnk")
and not(ObjectId endswith ".log")
and not(ObjectId endswith ".option")
and not(ObjectId endswith ".config")
and not(ObjectId endswith ".manifest")
and not(ObjectId endswith ".partial")
) on ObjectId
| where UserId1 !in (excluded_users)
| extend userBag = bag_pack("UserId", UserId1, "ClientIp", ClientIp1)
| summarize make_set(UserId1, 10000), userBag = make_bag(userBag), UploadTime = max(TimeGenerated) by UserId, ObjectId, SourceFileName, Extension
| extend NumberOfUsers = array_length(bag_keys(userBag))
| project UploadTime, Uploader = UserId, FileLocation = ObjectId, FileName = SourceFileName, AccessedBy = userBag, Extension, NumberOfUsers
| extend UploaderName = tostring(split(Uploader, "@")[0]), UploaderUPNSuffix = tostring(split(Uploader, "@")[1])
id: d12580c2-1474-4125-a8a3-553f50d91215
requiredDataConnectors:
- dataTypes:
- EnrichedMicrosoft365AuditLogs
connectorId: AzureActiveDirectory
name: Exes with double file extension and access summary
description: |
'Provides a summary of executable files with double file extensions in SharePoint
and the users and IP addresses that have accessed them.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/double_file_ext_exes.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d12580c2-1474-4125-a8a3-553f50d91215')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d12580c2-1474-4125-a8a3-553f50d91215')]",
"properties": {
"alertRuleTemplateName": "d12580c2-1474-4125-a8a3-553f50d91215",
"customDetails": null,
"description": "'Provides a summary of executable files with double file extensions in SharePoint \n and the users and IP addresses that have accessed them.'\n",
"displayName": "Exes with double file extension and access summary",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UploaderName",
"identifier": "Name"
},
{
"columnName": "UploaderUPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/double_file_ext_exes.yaml",
"query": "let known_ext = dynamic([\"lnk\", \"log\", \"option\", \"config\", \"manifest\", \"partial\"]);\nlet excluded_users = dynamic([\"app@sharepoint\"]);\nEnrichedMicrosoft365AuditLogs\n| where RecordType == \"SharePointFileOperation\" and isnotempty(ObjectId)\n| where ObjectId has \".exe.\" \n and not(ObjectId endswith \".lnk\") \n and not(ObjectId endswith \".log\") \n and not(ObjectId endswith \".option\") \n and not(ObjectId endswith \".config\") \n and not(ObjectId endswith \".manifest\") \n and not(ObjectId endswith \".partial\")\n| extend Extension = extract(\"[^.]*\\\\.[^.]*$\", 0, ObjectId)\n| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)\n| join kind=leftouter (\n EnrichedMicrosoft365AuditLogs\n | where RecordType == \"SharePointFileOperation\" and (Operation == \"FileDownloaded\" or Operation == \"FileAccessed\")\n | where not(ObjectId endswith \".lnk\") \n and not(ObjectId endswith \".log\") \n and not(ObjectId endswith \".option\") \n and not(ObjectId endswith \".config\") \n and not(ObjectId endswith \".manifest\") \n and not(ObjectId endswith \".partial\")\n) on ObjectId\n| where UserId1 !in (excluded_users)\n| extend userBag = bag_pack(\"UserId\", UserId1, \"ClientIp\", ClientIp1)\n| summarize make_set(UserId1, 10000), userBag = make_bag(userBag), UploadTime = max(TimeGenerated) by UserId, ObjectId, SourceFileName, Extension\n| extend NumberOfUsers = array_length(bag_keys(userBag))\n| project UploadTime, Uploader = UserId, FileLocation = ObjectId, FileName = SourceFileName, AccessedBy = userBag, Extension, NumberOfUsers\n| extend UploaderName = tostring(split(Uploader, \"@\")[0]), UploaderUPNSuffix = tostring(split(Uploader, \"@\")[1])\n",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1036"
],
"templateVersion": "2.0.1"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}