Query Details
Detect Shebang File Types Received Via Email
Query
**Detect Shebang File Types received via Email** **Description:** Shebangs (#!) are native to Unix-like operating systems (macOS and Linux). Standard Windows consoles (Command Prompt and PowerShell) do not natively use them. However, they do work on Windows when using tools such as the Python Launcher, Git Bash, Cygwin, or Unix-like environments such as WSL. In simple terms, a Shebang tells the operating system which interpreter should execute a script. For example: #!/usr/bin/python3 The first thing that came to my mind was to hunt for cases where these kinds of files were received via email, and yes, I quickly found a few Python and ECM-related examples. ``` let ShebangFiles = DeviceFileEvents | extend AF=parse_json(AdditionalFields) | where tostring(AF.FileType) == "Shebang" and isnotempty(SHA256) | project FileTimestamp=Timestamp, DeviceId, DeviceName, FileName, FolderPath, SHA256, FileActionType=ActionType, FileInitiatingProcess=InitiatingProcessFileName, FileInitiatingCommandLine=InitiatingProcessCommandLine, FileType=tostring(AF.FileType); ShebangFiles | join kind=inner EmailAttachmentInfo on $left.SHA256 == $right.SHA256 ```
Explanation
This query is designed to detect files with a "Shebang" file type that have been received via email. Here's a simplified breakdown of what the query does:
-
Identify Shebang Files:
- The query starts by looking at device file events to find files that have a "Shebang" file type.
- It checks if these files have a SHA256 hash value, which is a unique identifier for files.
-
Extract Relevant Information:
- For each identified Shebang file, it extracts important details such as the timestamp of the file event, device ID and name, file name, folder path, SHA256 hash, the type of action performed on the file, and details about the process that initiated the file action.
-
Match with Email Attachments:
- The query then looks for matches between the SHA256 hash of the Shebang files and the SHA256 hash of email attachments.
- This step is done to find out if any of these Shebang files were received as email attachments.
-
Output the Results:
- The final result is a list of Shebang files that were received via email, along with their associated details.
In essence, this query helps in identifying potentially suspicious files with Unix-like script indicators (Shebangs) that have been received through email, which could be a sign of phishing or other malicious activities.
Details
Sergio Albea
Released: June 11, 2026
Tables
DeviceFileEventsEmailAttachmentInfo
Keywords
DeviceFileEventsEmailAttachmentInfo
Operators
let|extendparse_json()wheretostring()==andisnotempty()|project=joinkind=inneron==