Defender-DeviceFileEvents
5 ActionTypes
| ActionType | Title |
|---|---|
| any | File activity (any) |
| FileCreated | File created |
| FileModified | File modified |
| FileDeleted | File deleted |
| FileRenamed | File renamed |
any: File activity (any)
#Description
File activity (any)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ActionType | |
FileName | |
FolderPath | |
SHA256 | |
FileSize | |
InitiatingProcessFileName | |
InitiatingProcessCommandLine | |
InitiatingProcessAccountName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | contains | .bat | 1 rule | elastic, kusto, sigma |
CommandLine | contains | accepteula | 1 rule | kusto, sigma, splunk |
file_name | ends_with | .exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Remote File Creation with PsExec source high: This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. Ryuk operators use PsExec to manually spread the ransomware to other devices. The following query detects remote file creation events that might indicate an active attack. The See also section below lists links to other queries associated with Ryuk ransomware. References: https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk.AA https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ https://docs.microsoft.com/sysinternals/downloads/psexec
- SUNBURST and SUPERNOVA backdoor hashes source high: Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- VTI - High Severity SHA1 Collision Detection source high: This will alert when a collision is detected for DeviceFileEvents events with VTI high severity SHA1 IoCs
Show 1 more (4 total)
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/
FileCreated: File created
#Description
File created
Fields #
| Name | Description | Rules |
|---|---|---|
DeviceId | ||
Timestamp | ||
FileName | ||
FolderPath | 1 | |
SHA256 | ||
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | FileCreated | 3 rules | kusto |
EventType | eq | ProcessCreated | 2 rules | kusto |
file_name | ends_with | .dll | 1 rule | kusto, splunk |
parent_process_name | eq | wsmprovhost.exe | 1 rule | elastic, kusto, splunk |
EventType | in | FileCreated | 1 rule | kusto |
EventType | in | FileModified | 1 rule | kusto |
file_name | ends_with | .exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- PE file dropped in Color Profile Folder source medium: This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
- Dev-0530 File Extension Rename source high: Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.
- Files Copied to USB Drives source high: This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
Show 3 more (6 total)
- Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.
- Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matchesFileRenamed: File renamed
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesFileModified: File modified, FileRenamed: File renamed
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/
FileModified: File modified
#Description
File modified — Sysmon-2 fires on FileCreateTime change specifically; Defender's FileModified is broader. Approximate bridge.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
SHA256 | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | eq | wsmprovhost.exe | 1 rule | elastic, kusto, splunk |
EventType | in | FileCreated | 1 rule | kusto |
EventType | in | FileModified | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesFileCreated: File created, FileRenamed: File renamed
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/
FileDeleted: File deleted
#Description
File deleted
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/
FileRenamed: File renamed
#Description
File renamed — No clean Windows-native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
PreviousFileName | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | in | excel.exe | 1 rule | kusto, splunk |
parent_process_name | in | winword.exe | 1 rule | kusto, splunk |
parent_process_name | in | powerpnt.exe | 1 rule | kusto, splunk |
parent_process_name | in | outlook.exe | 1 rule | kusto, splunk |
parent_process_name | eq | wsmprovhost.exe | 1 rule | elastic, kusto, splunk |
EventType | in | FileCreated | 1 rule | kusto |
EventType | in | FileModified | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- ASR Bypassing Writing Executable Content source medium: The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
- Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matchesFileCreated: File created
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesFileCreated: File created, FileModified: File modified
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/