Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ASR Bypassing Writing Executable Content

ASR Bypassing Writing Executable Content

Back
Idefe4efef-5ca7-4b51-a53e-0e96492ce97a
RulenameASR Bypassing Writing Executable Content
DescriptionThe query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed “executable extensions” which are text files. (e.g. ps1, .js, .vbs).
SeverityMedium
TacticsDefenseEvasion
TechniquesT1211
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/ASRBypassingWritingExecutableContent.yaml
Version1.0.0
Arm templateefe4efef-5ca7-4b51-a53e-0e96492ce97a.json
Deploy To Azure
let timeframe = 1d;
let executableExtensions = dynamic([".js", ".hta", ".lnk", ".application", ".vb", ".vba", ".vbs", ".ps", ".ps1", ".bat", ".cmd"]);
DeviceFileEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
| where ActionType == "FileRenamed"
// The mv-apply is less performance compared to doing a full written out !endswith. We kept the mv-apply since We don't hit any limits and get more readable/maintainable code.
| mv-apply ext=executableExtensions to typeof(string) on
(
    where PreviousFileName !endswith ext and FileName endswith ext
)
| project-reorder PreviousFileName, FileName
// Begin allow-list.
// End allow-list.

requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
triggerOperator: gt
queryFrequency: 1h
name: ASR Bypassing Writing Executable Content
status: Available
queryPeriod: 1h
id: efe4efef-5ca7-4b51-a53e-0e96492ce97a
description: |
    The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
severity: Medium
query: |
  let timeframe = 1d;
  let executableExtensions = dynamic([".js", ".hta", ".lnk", ".application", ".vb", ".vba", ".vbs", ".ps", ".ps1", ".bat", ".cmd"]);
  DeviceFileEvents
  | where Timestamp >= ago(timeframe)
  | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
  | where ActionType == "FileRenamed"
  // The mv-apply is less performance compared to doing a full written out !endswith. We kept the mv-apply since We don't hit any limits and get more readable/maintainable code.
  | mv-apply ext=executableExtensions to typeof(string) on
  (
      where PreviousFileName !endswith ext and FileName endswith ext
  )
  | project-reorder PreviousFileName, FileName
  // Begin allow-list.
  // End allow-list.  
version: 1.0.0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/ASRBypassingWritingExecutableContent.yaml
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: InitiatingProcessAccountSid
  - identifier: Name
    columnName: InitiatingProcessAccountName
  - identifier: NTDomain
    columnName: InitiatingProcessAccountDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: InitiatingProcessCommandLine
relevantTechniques:
- T1211
tactics:
- DefenseEvasion
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efe4efef-5ca7-4b51-a53e-0e96492ce97a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efe4efef-5ca7-4b51-a53e-0e96492ce97a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "ASR Bypassing Writing Executable Content",
        "description": "The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed \"executable extensions\" which are text files. (e.g. ps1, .js, .vbs).\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let timeframe = 1d;\nlet executableExtensions = dynamic([\".js\", \".hta\", \".lnk\", \".application\", \".vb\", \".vba\", \".vbs\", \".ps\", \".ps1\", \".bat\", \".cmd\"]);\nDeviceFileEvents\n| where Timestamp >= ago(timeframe)\n| where InitiatingProcessFileName in~ (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")\n| where ActionType == \"FileRenamed\"\n// The mv-apply is less performance compared to doing a full written out !endswith. We kept the mv-apply since We don't hit any limits and get more readable/maintainable code.\n| mv-apply ext=executableExtensions to typeof(string) on\n(\n    where PreviousFileName !endswith ext and FileName endswith ext\n)\n| project-reorder PreviousFileName, FileName\n// Begin allow-list.\n// End allow-list.\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1211"
        ],
        "alertRuleTemplateName": "efe4efef-5ca7-4b51-a53e-0e96492ce97a",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "DeviceName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Sid",
                "columnName": "InitiatingProcessAccountSid"
              },
              {
                "identifier": "Name",
                "columnName": "InitiatingProcessAccountName"
              },
              {
                "identifier": "NTDomain",
                "columnName": "InitiatingProcessAccountDomain"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "CommandLine",
                "columnName": "InitiatingProcessCommandLine"
              }
            ],
            "entityType": "Process"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/ASRBypassingWritingExecutableContent.yaml",
        "status": "Available"
      }
    }
  ]
}