Adversaries may be using file persistence techniques by reusing files across multiple alerts within a short time window. SOC teams should proactively hunt for this behavior to identify potential lateral movement or persistence mechanisms in their Azure Sentinel environment.
KQL Query
let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){
let v_StartTime = suspiciousEventTime-1d;
let v_EndTime = suspiciousEventTime+1d;
SecurityAlert
| where TimeGenerated between (v_StartTime .. v_EndTime)
| where ExtendedProperties has v_File
// expand JSON properties
| extend Extprop = parse_json(ExtendedProperties)
| extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
| extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
| extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"])
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
};
// change datetime value and <filename> value below
GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), "<filename>")
id: 11d808a1-32fe-4618-946a-cfd43523347a
name: Alerts related to File
description: |
'Any Alerts that fired related to a given File during the range of +6h and -3d'
requiredDataConnectors:
- connectorId: AzureSecurityCenter
dataTypes:
- SecurityAlert
- connectorId: MicrosoftCloudAppSecurity
dataTypes:
- SecurityAlert
tactics:
- Persistence
- Discovery
- LateralMovement
- Collection
query: |
let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){
let v_StartTime = suspiciousEventTime-1d;
let v_EndTime = suspiciousEventTime+1d;
SecurityAlert
| where TimeGenerated between (v_StartTime .. v_EndTime)
| where ExtendedProperties has v_File
// expand JSON properties
| extend Extprop = parse_json(ExtendedProperties)
| extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
| extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
| extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"])
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
};
// change datetime value and <filename> value below
GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), "<filename>")
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Shain
support:
tier: Community
categories:
domains: [ "Security - Other" ]| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process generates temporary files that match the detection logic.
Filter/Exclusion: Exclude files created by veeam or with a filename containing backup or snapshot.
Scenario: A Windows Task Scheduler job is running a script that generates temporary files during its execution, which coincidentally match the file signature or name in the rule.
Filter/Exclusion: Exclude files created by processes with the command line containing schtasks or Task Scheduler.
Scenario: A Windows Update installation process creates temporary files in the system directory, which the rule mistakenly flags as suspicious activity.
Filter/Exclusion: Exclude files created by processes with the name wuauclt.exe or WindowsUpdate.exe.
Scenario: A Docker container is running a scheduled job that writes to the host filesystem, and the file is flagged due to the rule’s time window overlapping with the container’s runtime.
Filter/Exclusion: Exclude files created by processes with the command line containing docker or containerd.
Scenario: A SIEM or log management tool like Splunk or ELK Stack is indexing logs and temporarily writing files to disk, which the rule misidentifies as malicious.
Filter/Exclusion: Exclude files created by processes with the command line containing splunk or logstash.