Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ASR Bypassing Writing Executable Content

ASR Bypassing Writing Executable Content

Back
Idefe4efef-5ca7-4b51-a53e-0e96492ce97a
RulenameASR Bypassing Writing Executable Content
DescriptionThe query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed “executable extensions” which are text files. (e.g. ps1, .js, .vbs).
SeverityMedium
TacticsDefenseEvasion
TechniquesT1211
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/ASRBypassingWritingExecutableContent.yaml
Version1.0.0
Arm templateefe4efef-5ca7-4b51-a53e-0e96492ce97a.json
Deploy To Azure
let timeframe = 1d;
let executableExtensions = dynamic([".js", ".hta", ".lnk", ".application", ".vb", ".vba", ".vbs", ".ps", ".ps1", ".bat", ".cmd"]);
DeviceFileEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
| where ActionType == "FileRenamed"
// The mv-apply is less performance compared to doing a full written out !endswith. We kept the mv-apply since We don't hit any limits and get more readable/maintainable code.
| mv-apply ext=executableExtensions to typeof(string) on
(
    where PreviousFileName !endswith ext and FileName endswith ext
)
| project-reorder PreviousFileName, FileName
// Begin allow-list.
// End allow-list.

version: 1.0.0
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
status: Available
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: InitiatingProcessAccountSid
  - identifier: Name
    columnName: InitiatingProcessAccountName
  - identifier: NTDomain
    columnName: InitiatingProcessAccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: InitiatingProcessCommandLine
  entityType: Process
tactics:
- DefenseEvasion
relevantTechniques:
- T1211
queryFrequency: 1h
severity: Medium
name: ASR Bypassing Writing Executable Content
description: |
    The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/ASRBypassingWritingExecutableContent.yaml
query: |
  let timeframe = 1d;
  let executableExtensions = dynamic([".js", ".hta", ".lnk", ".application", ".vb", ".vba", ".vbs", ".ps", ".ps1", ".bat", ".cmd"]);
  DeviceFileEvents
  | where Timestamp >= ago(timeframe)
  | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
  | where ActionType == "FileRenamed"
  // The mv-apply is less performance compared to doing a full written out !endswith. We kept the mv-apply since We don't hit any limits and get more readable/maintainable code.
  | mv-apply ext=executableExtensions to typeof(string) on
  (
      where PreviousFileName !endswith ext and FileName endswith ext
  )
  | project-reorder PreviousFileName, FileName
  // Begin allow-list.
  // End allow-list.  
kind: Scheduled
queryPeriod: 1h
triggerOperator: gt
id: efe4efef-5ca7-4b51-a53e-0e96492ce97a