Detection rules › Kusto Query Language
ASR Bypassing Writing Executable Content
The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1211 Exploitation for Defense Evasion |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Defender-DeviceFileEvents | 9002004 | File renamed |
Stages and Predicates
Stage 1: source
DeviceFileEvents
Stage 2: where
macro "(Timestamp >= ago(timeframe))"
Stage 3: where
InitiatingProcessFileName in ["excel.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]
Stage 4: where
ActionType eq "FileRenamed"
Stage 5: mv-expand
Stage 6: project-reorder
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
InitiatingProcessFileName | in |
|