Adversaries may be using a specific file to establish persistence or execute malicious payloads, as the presence of this file could indicate initial compromise or command and control activity. Proactively hunting for this file in Azure Sentinel helps identify potential threats early, allowing the SOC team to investigate and mitigate risks before significant damage occurs.
KQL Query
let fileHash = "e152f7ce2d3a4349ac583580c2caf8f72fac16ba";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
project DeviceName, ActionType, FileName, InitiatingProcessFileName, Timestamp, SHA1, InitiatingProcessSHA1
| project DeviceName, ActionType, Timestamp,
FileName = iff(SHA1 == fileHash, FileName, InitiatingProcessFileName),
MatchedSide=iff(SHA1 == fileHash, iff(InitiatingProcessSHA1 == fileHash, "Both", "Child"), "Parent")
| summarize makeset(ActionType), FirstTimestamp=min(Timestamp), (LastTimestamp, LastActionType)=arg_max(Timestamp, ActionType) by FileName, MatchedSide, DeviceName
| top 1000 by LastTimestamp desc
| sort by DeviceName, LastTimestamp desc
id: 20f3eec2-63e5-459c-aa61-64996ee2971d
name: File footprint
description: |
Query #1 - Find the machines on which this file was seen.
TODO - set file hash to be a SHA1 hash of your choice...
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
- DeviceEvents
- DeviceRegistryEvents
- DeviceNetworkEvents
- DeviceImageLoadEvents
query: |
let fileHash = "e152f7ce2d3a4349ac583580c2caf8f72fac16ba";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
project DeviceName, ActionType, FileName, InitiatingProcessFileName, Timestamp, SHA1, InitiatingProcessSHA1
| project DeviceName, ActionType, Timestamp,
FileName = iff(SHA1 == fileHash, FileName, InitiatingProcessFileName),
MatchedSide=iff(SHA1 == fileHash, iff(InitiatingProcessSHA1 == fileHash, "Both", "Child"), "Parent")
| summarize makeset(ActionType), FirstTimestamp=min(Timestamp), (LastTimestamp, LastActionType)=arg_max(Timestamp, ActionType) by FileName, MatchedSide, DeviceName
| top 1000 by LastTimestamp desc
| sort by DeviceName, LastTimestamp desc
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: A legitimate system update or patching process installs a known file (e.g., C:\Windows\System32\wbem\wmiprvse.exe) that matches the file hash in the rule.
Filter/Exclusion: Exclude files associated with Windows Update or Microsoft System Center components using the file path or file name.
Scenario: A scheduled backup job (e.g., Veeam, Acronis, or Windows Backup) temporarily places a file on the system that matches the file hash.
Filter/Exclusion: Exclude files found in backup directories or those with timestamps matching known backup windows.
Scenario: An administrator uses a legitimate tool (e.g., PowerShell, Task Scheduler, or PsExec) to run a script that creates a temporary file with the same hash.
Filter/Exclusion: Exclude files created by known administrative tools or scripts with known execution contexts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: A legitimate software installation (e.g., Microsoft Office, Adobe Reader, or Java Runtime Environment) includes a file that matches the file hash.
Filter/Exclusion: Exclude files located in standard installation directories (e.g., C:\Program Files\, C:\Program Files (x86)\) or those signed by known vendors.
Scenario: A user runs a legitimate diagnostic or monitoring tool (e.g., Process Monitor, Wireshark, or Sysmon) that generates temporary files matching the file hash.
Filter/Exclusion: Exclude files created by known diagnostic tools or those with specific process names (e.g., Procmon.exe, Wireshark.exe).