Malware may be hidden in the recycle bin by adversaries to evade detection and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and remove stealthy malware that evades traditional detection methods.
KQL Query
let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);
imProcessCreate
| where CommandLine has "recycler"
| where Process has_any (procList)
| extend FileName = tostring(split(Process, '\\')[-1])
| where FileName in~ (procList)
| project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
id: 61988db3-0565-49b5-b8e3-747195baac6e
name: Malware in the recycle bin (Normalized Process Events)
description: |
'Identifies malware that has been hidden in the recycle bin.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1564
tags:
- Id: b8266f81-2715-41a6-9062-42486cbc9c73
version: 1.0.0
- Schema: ASIMProcessEvent
SchemaVersion: 0.1.0
query: |
let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);
imProcessCreate
| where CommandLine has "recycler"
| where Process has_any (procList)
| extend FileName = tostring(split(Process, '\\')[-1])
| where FileName in~ (procList)
| project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.2.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yuval Naor
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administ
Scenario: A system administrator is cleaning up user files by moving them to the Recycle Bin using a script or a third-party tool like CCleaner or Disk Cleanup.
Filter/Exclusion: Exclude processes associated with known cleanup tools or add a filter for process.name containing “ccleaner”, “diskcleanup”, or “cleanmgr.exe”.
Scenario: A scheduled job runs to archive old logs or temporary files into the Recycle Bin, such as a PowerShell script or a Windows Task Scheduler job.
Filter/Exclusion: Exclude processes with process.name containing “powershell.exe” or “schtasks.exe”, or filter by user.name to exclude system or admin accounts running scheduled tasks.
Scenario: A user is manually moving files to the Recycle Bin via the GUI or using a file explorer shortcut, which could trigger the rule due to the file being in the Recycle Bin.
Filter/Exclusion: Exclude processes with process.name like “explorer.exe” or “shell32.dll”, or add a filter for file.path that matches known user-generated file movements.
Scenario: A legitimate backup tool like Veeam, Acronis, or Dell Backup and Recovery moves files to the Recycle Bin during a cleanup phase.
Filter/Exclusion: Exclude processes with process.name containing “veeam”, “acronis”, or “dellbackup”, or add a filter for file.path that matches known backup tool directories.
Scenario: A Windows Update or System File Checker (SFC) operation temporarily moves files to the Recycle Bin during system maintenance.
Filter/Exclusion: Exclude processes with process.name like “wusa.exe”, “sfc.exe”, or “dism.exe”,