The hunt hypothesis detects potential adversary use of the settingcontent-ms file type to exfiltrate data or execute malicious payloads through web browsers and email clients. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage lateral movement or data theft tactics.
KQL Query
DeviceFileEvents
| where InitiatingProcessFileName in~ ("browser_broker.exe", "chrome.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
| where FileName endswith ".settingcontent-ms"
// The FileOrigin* columns are available only on Edge and Chrome and from Windows 10 version 1703
// https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP
id: 07a17371-bea3-41e5-91d1-99728cd44955
name: Abusing settingcontent-ms
description: |
Sample query that search for .settingcontent-ms that has been downloaded from the web.
Through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook.
For questions @MiladMSFT on Twitter or [email protected].
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
query: |
DeviceFileEvents
| where InitiatingProcessFileName in~ ("browser_broker.exe", "chrome.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
| where FileName endswith ".settingcontent-ms"
// The FileOrigin* columns are available only on Edge and Chrome and from Windows 10 version 1703
// https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: User downloads a Microsoft Settings File for a legitimate system update
Description: A user downloads a .settingcontent-ms file from Microsoft’s official website as part of a system update or configuration process.
Filter/Exclusion: Check the source URL against known Microsoft domains (e.g., *.microsoft.com, *.microsoftedge.microsoft.com) and verify the file is signed by Microsoft.
Scenario: Scheduled Task for Configuration Management (e.g., SCCM or Intune)
Description: A scheduled task runs to deploy configuration settings using .settingcontent-ms files as part of enterprise management tools like SCCM or Intune.
Filter/Exclusion: Filter by process name (e.g., sccmclient, intunewin), or check the originating process is a known configuration management tool.
Scenario: Admin uses Microsoft Edge to access internal documentation with embedded .settingcontent-ms
Description: An administrator accesses internal documentation hosted on a company server that includes .settingcontent-ms files as part of a documentation or help system.
Filter/Exclusion: Filter by internal IP ranges or domain names (e.g., intranet.companydomain.com), and check the file path for internal server locations.
Scenario: Outlook Add-in or Email Attachment with .settingcontent-ms
Description: A user receives an email with an attachment that is a .settingcontent-ms file, possibly from a trusted internal sender or a known add-in.
Filter/Exclusion: Filter by sender email domain (e.g., @company.com), or check the file path and process origin (e.g., outlook.exe).
Scenario: PowerShell Script or Batch Job Generating .settingcontent-ms for Custom Configuration
Description: A PowerShell script or batch job is used to generate or manipulate `.