Defender-DeviceFileEvents

5 ActionTypes

ActionTypeTitle
anyFile activity (any)
FileCreatedFile created
FileModifiedFile modified
FileDeletedFile deleted
FileRenamedFile renamed

any: File activity (any)

#
Provider
Defender-DeviceFileEvents
Channel
DeviceFileEvents

Description

File activity (any)

Fields #

NameDescription
DeviceId
Timestamp
ActionType
FileName
FolderPath
SHA256
FileSize
InitiatingProcessFileName
InitiatingProcessCommandLine
InitiatingProcessAccountName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CommandLinecontains.bat1 ruleelastic, kusto, sigma
CommandLinecontainsaccepteula1 rulekusto, sigma, splunk
file_nameends_with.exe1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

Show 1 more (4 total)
  • Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
    Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
    All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:

References #

FileCreated: File created

#
Provider
Defender-DeviceFileEvents
Channel
FileCreated

Description

File created

Fields #

NameDescriptionRules
DeviceId
Timestamp
FileName
FolderPath1
SHA256
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqFileCreated3 ruleskusto
EventTypeeqProcessCreated2 ruleskusto
file_nameends_with.dll1 rulekusto, splunk
parent_process_nameeqwsmprovhost.exe1 ruleelastic, kusto, splunk
EventTypeinFileCreated1 rulekusto
EventTypeinFileModified1 rulekusto
file_nameends_with.exe1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

Show 3 more (6 total)
  • Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.
  • Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matchesFileRenamed: File renamed
  • WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesFileModified: File modified, FileRenamed: File renamed

References #

FileModified: File modified

#
Provider
Defender-DeviceFileEvents
Channel
FileModified

Description

File modified — Sysmon-2 fires on FileCreateTime change specifically; Defender's FileModified is broader. Approximate bridge.

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
SHA256
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
parent_process_nameeqwsmprovhost.exe1 ruleelastic, kusto, splunk
EventTypeinFileCreated1 rulekusto
EventTypeinFileModified1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesFileCreated: File created, FileRenamed: File renamed

References #

FileDeleted: File deleted

#
Provider
Defender-DeviceFileEvents
Channel
FileDeleted

Description

File deleted

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
InitiatingProcessFileName

References #

FileRenamed: File renamed

#
Provider
Defender-DeviceFileEvents
Channel
FileRenamed

Description

File renamed — No clean Windows-native equivalent.

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
PreviousFileName
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
parent_process_nameinexcel.exe1 rulekusto, splunk
parent_process_nameinwinword.exe1 rulekusto, splunk
parent_process_nameinpowerpnt.exe1 rulekusto, splunk
parent_process_nameinoutlook.exe1 rulekusto, splunk
parent_process_nameeqwsmprovhost.exe1 ruleelastic, kusto, splunk
EventTypeinFileCreated1 rulekusto
EventTypeinFileModified1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • ASR Bypassing Writing Executable Content source medium: The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
  • Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matchesFileCreated: File created
  • WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesFileCreated: File created, FileModified: File modified

References #