Detect Executable Files in C:\ProgramData
Executable Files Program Data Folder
Query
// The start of the folderpath in the Public directory.
let ProgramDataFolder = @'C:\ProgramData';
// List with Executable File Extensions, can be adjusted or changed.
let ExecutableFileExtensions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'msc','ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf', 'hta', 'js']);
// Prevalence Threshold, if the file exceeds this threshold it is likely to be benign.
let FilePrevalenceThreshold = 250;
DeviceFileEvents
| where FolderPath contains ProgramDataFolder
// Extract File Extension from the filename.
| extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName))
// Only list Files that are executable
| where FileExtension in~ (ExecutableFileExtensions)
| invoke FileProfile('SHA256', 10000)
// Filter based on FilePrevalenceThreshold
| where GlobalPrevalence <= FilePrevalenceThreshold
| project Timestamp, DeviceName, FileExtension, FolderPath, GlobalPrevalence, Signer, Publisher, ReportId, DeviceIdAbout this query
Explanation
This query is designed to identify unusual executable files that are created in the C:\ProgramData directory and its subdirectories. This location is not typically used for creating executable files, so any such files found there should be investigated as they might indicate malicious activity. Attackers might use this directory to hide their payloads and avoid detection.
Key Points of the Query:
-
Target Directory: The query focuses on files within the
C:\ProgramDatadirectory (for Defender XDR) andC:\Users\Public(for Sentinel). -
Executable File Extensions: It looks for files with specific extensions that are considered executable, such as
.exe,.bat,.cmd, etc. -
Prevalence Threshold (Defender XDR only): The query filters out files that are commonly found (more than 250 instances globally), as these are likely benign. This helps in focusing on rare and potentially suspicious files.
-
File Profiling (Defender XDR only): The query uses the
FileProfilefunction to gather additional information about the files, such as their global prevalence, which helps in assessing their rarity. -
Output Information: The query outputs details like the timestamp of file creation, device name, file extension, folder path, global prevalence, signer, publisher, report ID, and device ID for further investigation.
Differences Between Defender XDR and Sentinel:
- File Profiling: The Defender XDR query uses the
FileProfilefunction to get more detailed information about the files, which is not supported in Sentinel. - Directory Path: The Sentinel query checks the
C:\Users\Publicdirectory instead ofC:\ProgramData.
Overall, this query is a security measure to detect potentially malicious files that might be used by attackers to remain undetected in a system.
Details

Bert-Jan Pals
Released: June 22, 2026
Tables
Keywords
Operators