← Back to SOC feed Coverage →

Abnormally Large JPEG Filed Downloaded from New Source

kql MEDIUM Azure-Sentinel
T1001.002
CommonSecurityLog
exploithuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-04-23T09:00:00Z · Confidence: medium

Hunt Hypothesis

Threat actors may be using abnormally large JPEG files to exfiltrate data or hide malicious payloads, leveraging the file type to bypass security inspections. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or malware delivery attempts that evade traditional detection methods.

KQL Query

let percentile = 95;
  let lookback_data = materialize(CommonSecurityLog
  | where TimeGenerated between(ago(7d)..ago(1d))
  | where FileType == "Jpeg Files" or RequestURL endswith ".jpg"
  | where isnotempty(RequestURL));
  let domains = lookback_data | summarize by DestinationHostName;
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where FileType =~ "Jpeg Files" or RequestURL endswith ".jpg"
  | where isnotempty(RequestURL)
  | extend filename = split(RequestURL, "/")[-1]
  | where ReceivedBytes > toscalar(lookback_data
  | summarize percentile(ReceivedBytes, percentile))
  | project-reorder TimeGenerated, filename, RequestURL, ReceivedBytes, RequestClientApplication, SourceUserName, DestinationHostName, RequestContext 
  | where DestinationHostName !in (domains) or isempty(DestinationHostName)

Analytic Rule Definition

id: a2ff777e-46c8-4649-b19a-25a0ac059a18
name: Abnormally Large JPEG Filed Downloaded from New Source
description: |
  'Threat actors can use JPEG files to hide malware, or other malicious code from inspection. This query looks for the downloading of abnormally large JPEG files from a source where large JPEG files have not been downloaded.
    Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'
requiredDataConnectors:
  - connectorId: CEF
    dataTypes:
      - CommonSecurityLog
tactics:
  - InitialAccess
relevantTechniques:
  - T1001.002
query: |
  let percentile = 95;
    let lookback_data = materialize(CommonSecurityLog
    | where TimeGenerated between(ago(7d)..ago(1d))
    | where FileType == "Jpeg Files" or RequestURL endswith ".jpg"
    | where isnotempty(RequestURL));
    let domains = lookback_data | summarize by DestinationHostName;
    CommonSecurityLog
    | where TimeGenerated > ago(1d)
    | where FileType =~ "Jpeg Files" or RequestURL endswith ".jpg"
    | where isnotempty(RequestURL)
    | extend filename = split(RequestURL, "/")[-1]
    | where ReceivedBytes > toscalar(lookback_data
    | summarize percentile(ReceivedBytes, percentile))
    | project-reorder TimeGenerated, filename, RequestURL, ReceivedBytes, RequestClientApplication, SourceUserName, DestinationHostName, RequestContext 
    | where DestinationHostName !in (domains) or isempty(DestinationHostName)
entityMappings:
  - entityType: File
    fieldMappings:
      - identifier: Name
        columnName: filename
  - entityType: Url
    fieldMappings:
      - identifier: Url
        columnName: RequestURL
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SourceUserName

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml