Event ID 9002004 — File renamed
Description
File renamed — No clean Windows-native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
FileName | — |
FolderPath | — |
PreviousFileName | — |
InitiatingProcessFileName | — |
Detection Rules #
View all rules referencing this event →
Kusto Query Language # view in reference
- ASR Bypassing Writing Executable Content source medium: The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table