Rule : Detection of Untrusted Executables in User Folders
Asr Untrusted Executable Audited Query
Query
DeviceEvents
| where FolderPath contains "users" and ActionType == "AsrUntrustedExecutableAudited"
| project Timestamp, ReportId, DeviceId, ProcessCommandLine, FileName, FolderPath, InitiatingProcessSHA1, InitiatingProcessFileName, SHA1
| invoke FileProfile("SHA1")
| where GlobalFirstSeen > ago(3d) and GlobalPrevalence <= 1About this query
Rule : Detection of Untrusted Executables in User Folders
Description
This detection rule identifies untrusted executables within user directories that have been audited by Advanced Security Rules (ASR). Monitoring for untrusted executables is crucial because they can indicate the presence of malware or unauthorized software introduced into the system by malicious actors. This rule helps identify newly observed, globally rare executables within user folders that might have been introduced through various attack vectors.
This rule monitors for audited actions related to untrusted executables in user directories, focusing on files that are new and have low global prevalence.
Detection Logic
- Monitors
DeviceEventsfor events where:- The
ActionTypeis "AsrUntrustedExecutableAudited". - The
FolderPathcontains "users". - The file has been seen globally within the last 3 days and has a global prevalence of less than or equal to 1.
- The
Tags
- Untrusted Executables
- User Directories
- Malware
- Suspicious Activity
- Advanced Security Rules (ASR)
Search Query
Notes
This needs a bit of fine tunning to be enabled as a detection rule
Explanation
Summary of the Query
Purpose: This query is designed to detect untrusted executable files within user directories. These files are flagged by Advanced Security Rules (ASR) and are considered suspicious because they are new and have very low global prevalence, which could indicate potential malware or unauthorized software.
Detection Logic:
- Source of Data: The query looks at
DeviceEvents. - Conditions:
- The event's
ActionTypemust be "AsrUntrustedExecutableAudited". - The
FolderPathmust contain the word "users". - The file must have been first seen globally within the last 3 days.
- The file must have a global prevalence of 1 or less, indicating it is very rare.
- The event's
Query Breakdown:
- Filter Events: The query filters events where the
FolderPathcontains "users" and theActionTypeis "AsrUntrustedExecutableAudited". - Select Fields: It selects relevant fields such as
Timestamp,ReportId,DeviceId,ProcessCommandLine,FileName,FolderPath,InitiatingProcessSHA1,InitiatingProcessFileName, andSHA1. - File Profiling: It uses the
SHA1hash to profile the file. - Further Filtering: It further filters the results to include only files that were first seen globally within the last 3 days and have a global prevalence of 1 or less.
Tags:
- Untrusted Executables
- User Directories
- Malware
- Suspicious Activity
- Advanced Security Rules (ASR)
Notes:
- The query may need some adjustments before it can be fully enabled as a detection rule.
Simplified Explanation
This query helps identify potentially dangerous new executable files in user folders that are very rare globally. It focuses on files flagged by security rules and checks if they appeared in the last 3 days and are not commonly seen worldwide. This can help in spotting malware or unauthorized software early.
Details

Ali Hussein
Released: July 15, 2024
Tables
Keywords
Operators