Adversaries may be using a specific file to establish persistence or execute malicious payloads, as the presence of this file could indicate initial compromise or lateral movement. Proactively hunting for this file in Azure Sentinel helps identify potential threats early, allowing the SOC team to investigate and mitigate risks before significant damage occurs.
KQL Query
// Query # 2 - Shows you a list of distinct IP addresses and DNS names the endpoint had network communication with through a specific file.
// Use this list to whitelist/blacklist IP addresses or understand if there are communication with IP you are not aware of.
// Update the filename to the name you wish to investigate network communication.
let filename = "FILENAME GOES HERE";
// Builds table for distinct URLs based off filename
DeviceNetworkEvents
| where InitiatingProcessFileName =~ filename and ( isnotempty(RemoteIP) or isnotempty(RemoteUrl) )
| project DNS=RemoteUrl, IP=RemoteIP
| distinct IP, DNS
id: 1f80f1cf-97e1-4fb8-ad5a-e573fac7b9e3
name: File footprint (1)
description: |
Query #1 - Find the machines on which this file was seen.
TODO - set file hash to be a SHA1 hash of your choice...
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
// Query # 2 - Shows you a list of distinct IP addresses and DNS names the endpoint had network communication with through a specific file.
// Use this list to whitelist/blacklist IP addresses or understand if there are communication with IP you are not aware of.
// Update the filename to the name you wish to investigate network communication.
let filename = "FILENAME GOES HERE";
// Builds table for distinct URLs based off filename
DeviceNetworkEvents
| where InitiatingProcessFileName =~ filename and ( isnotempty(RemoteIP) or isnotempty(RemoteUrl) )
| project DNS=RemoteUrl, IP=RemoteIP
| distinct IP, DNS
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A legitimate system update or patch deployment using Windows Update or Group Policy
Filter/Exclusion: Exclude files with hashes matching known Windows system files or files deployed via Microsoft Update. Use file_hash in the query to filter out known good hashes.
Scenario: A scheduled backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: Exclude files that are part of backup operations by checking the file path against known backup directories or using a process_name filter for the backup agent.
Scenario: A system administrator manually copying a file for troubleshooting or configuration using PowerShell or Command Prompt
Filter/Exclusion: Exclude files that appear in the context of administrative tasks by checking the process_name for powershell.exe or cmd.exe, or by checking the user field for admin accounts.
Scenario: A legitimate software installation or update using Chocolatey or WSUS (Windows Server Update Services)
Filter/Exclusion: Exclude files that match known installation packages by checking the file_name or file_path against known installation directories or using a process_name filter for the package manager.
Scenario: A file used by a legitimate monitoring or logging tool like Splunk, ELK Stack, or Graylog
Filter/Exclusion: Exclude files that are part of log processing pipelines by checking the file_path against known log directories or using a process_name filter for the logging tool.