File Copy and Execution | SOC Hunt Feed

Hunt Hypothesis

Adversaries may copy malicious files via SMB and execute them quickly to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or execution-based attacks.

KQL Query

let ToleranceInSeconds = 5;
DeviceNetworkEvents
| where LocalPort == 445 and isnotempty(RemoteIP)
| join kind = inner DeviceLogonEvents on DeviceId
| where Timestamp1 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp)) and RemoteIP endswith RemoteIP1
| join kind=inner (
    DeviceFileEvents
    | where ActionType in ('FileModified','FileCreated') and (InitiatingProcessFileName =~ 'System' or InitiatingProcessFolderPath endswith "ntoskrnl.exe")
) on DeviceId
| where Timestamp2 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp))
| join kind=inner DeviceProcessEvents on DeviceId, FolderPath
| where Timestamp3 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp))
| project Timestamp, DeviceName, RemoteIP, RemotePort, AccountDomain, AccountName, AccountSid, Protocol, LogonId, RemoteDeviceName, IsLocalAdmin, FileName, FolderPath, SHA1, SHA256, MD5, ProcessCommandLine

Analytic Rule Definition

id: a27d5cb6-c533-4a81-9d11-d5c0ed257bc7
name: File Copy and Execution
description: |
  This query identifies files that are copied to a device over SMB, then executed within a
  specified threshold. Default is 5 seconds, but is configurable by tweaking the value for
  ToleranceInSeconds.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
  - DeviceLogonEvents
  - DeviceFileEvents
  - DeviceProcessEvents
tactics:
- Execution
- Persistence
- Lateral movement
- Impact
query: |
  let ToleranceInSeconds = 5;
  DeviceNetworkEvents
  | where LocalPort == 445 and isnotempty(RemoteIP)
  | join kind = inner DeviceLogonEvents on DeviceId
  | where Timestamp1 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp)) and RemoteIP endswith RemoteIP1
  | join kind=inner (
      DeviceFileEvents
      | where ActionType in ('FileModified','FileCreated') and (InitiatingProcessFileName =~ 'System' or InitiatingProcessFolderPath endswith "ntoskrnl.exe")
  ) on DeviceId
  | where Timestamp2 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp))
  | join kind=inner DeviceProcessEvents on DeviceId, FolderPath
  | where Timestamp3 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp))
  | project Timestamp, DeviceName, RemoteIP, RemotePort, AccountDomain, AccountName, AccountSid, Protocol, LogonId, RemoteDeviceName, IsLocalAdmin, FileName, FolderPath, SHA1, SHA256, MD5, ProcessCommandLine

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled
`DeviceLogonEvents`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Persistence
Tactic: Lateral movement
Tactic: Impact

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Execution/File Copy and Execution.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell script) copies a system file (e.g., msiexec.exe) from a network share and executes it as part of a routine maintenance operation.
Filter/Exclusion: Exclude files that are known system binaries or files associated with scheduled tasks (e.g., using FileHash or ProcessName to exclude msiexec.exe, schtasks.exe, etc.).
Scenario: Software Deployment via SCCM/Intune
Description: A software deployment tool (e.g., Microsoft SCCM, Intune, or Ansible) copies an installer file (e.g., .msi, .exe) from a central repository and executes it on target machines as part of a deployment process.
Filter/Exclusion: Exclude files that match known deployment tools or have a specific file extension (e.g., .msi, .msu) or are associated with the deployment tool’s execution context.
Scenario: Admin Copying Executable for Debugging
Description: An administrator copies a debug or test executable (e.g., debug.exe) from a shared drive to a local machine and runs it to troubleshoot an application issue.
Filter/Exclusion: Exclude files that are manually copied by administrators (e.g., using User or SourcePath to filter out known admin accounts or shared directories).
Scenario: File Sync Tool Copying and Executing a Script
Description: A file sync tool (e.g., rsync, Syncthing, or Dropbox) copies a script file (e.g., .ps1, .bat) from a remote server and executes it due to a misconfigured automation rule.
Filter/Exclusion: Exclude files that