Query Details

Executable File Extentions downloaded via HTTP GET

HTTP Executable Files Downloaded

Query

let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']);
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| where HTTP_Request_Method == "GET"
| extend DownloadedContent = extract(@'.*/(.*)HTTP', 1, SignatureMatchedContent)
| extend DownloadContentFileExtention = extract(@'.*\.(.*)$', 1, DownloadedContent)
| where isnotempty(DownloadContentFileExtention) and string_size(DownloadContentFileExtention) < 8
| where DownloadContentFileExtention has_any (ExecutableFileExtentions)
| project-reorder Timestamp, DeviceName, DownloadedContent, HTTP_Request_Method, RemoteIP

About this query

Explanation

This query is designed to identify and list files with executable extensions that have been downloaded via HTTP GET requests. Here's a simplified breakdown of what the query does:

  1. Define Executable Extensions: It starts by defining a list of file extensions that are considered executable, such as .exe, .bat, .cmd, etc.

  2. Filter Network Events: The query looks at network events where the action type is "NetworkSignatureInspected". This means it is inspecting network traffic for specific patterns or signatures.

  3. Extract HTTP GET Requests: It further filters these events to only include those where the signature name is "HTTP_Client" and the HTTP request method is "GET". This focuses the query on HTTP GET requests, which are typically used to download files.

  4. Extract Downloaded Content: The query extracts the content of the download from the network event data, specifically looking for the file name and its extension.

  5. Filter Executable Files: It checks if the file extension of the downloaded content matches any of the predefined executable extensions and ensures the extension is not empty and is less than 8 characters long.

  6. Project Relevant Information: Finally, it organizes the output to show the timestamp (or time generated), device name, the content that was downloaded, the HTTP request method, and the remote IP address involved in the transaction.

This query helps in identifying potentially risky downloads of executable files over the network, which could be indicative of malware or unauthorized software being downloaded.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsHTTPClientSignatureNameDownloadedContentRemoteIPTimestampTimeGenerated

Operators

letdynamicwhereextendtostringparse_jsonsplitextractisnotemptystring_sizehas_anyproject-reorder

Actions

GitHub