Event ID 9002000 — File activity (any)

Provider: Defender-DeviceFileEvents
Channel: DeviceFileEvents

Description

File activity (any)

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`ActionType`	—
`FileName`	—
`FolderPath`	—
`SHA256`	—
`FileSize`	—
`InitiatingProcessFileName`	—
`InitiatingProcessCommandLine`	—
`InitiatingProcessAccountName`	—

Detection Patterns #

Sunburst And Supernova Backdoor

Defender-DeviceFileEvents Event ID 9002000: File activityORSecurity-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreate

4 rules

Kusto Query Language

SUNBURST and SUPERNOVA backdoor hashes (source)

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)

Yaron

Google Threat Intelligence - Threat Hunting Hash (source)

Show 1 more (4 total)

RecordedFuture Threat Hunting Hash All Actors (source)

Execution: User Execution

Defender-DeviceFileEvents Event ID 9002000: File activity→Security-Auditing Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 11: FileCreate

1 rule

Kusto Query Language

VTI - High Severity SHA1 Collision Detection (source)

Lateral Movement: Lateral Tool Transfer

Defender-DeviceFileEvents Event ID 9002000: File activityANDSecurity-Auditing Event ID 4663: An attempt was made to access an object.ANDSysmon Event ID 11: FileCreate

1 rule

Kusto Query Language

Remote File Creation with PsExec (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table