Query Details

Defender for Endpoint - Identify Portable Apps

MDE Portable Apps

Query

DeviceFileEvents
| where parse_json( AdditionalFields).FileType has_any ("PortableExecutable")
| extend FileExtension = parse_path(FolderPath).Extension
| where FileExtension == "exe"
| project FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, AdditionalFields
| where isnotempty( FileOriginUrl)

About this query

Explanation

This query is designed to identify portable applications on devices that are monitored by Microsoft Defender for Endpoint. Portable applications are software programs that can run without being installed on a system, which can be used by attackers to mimic legitimate software and evade detection. Here's a breakdown of what each part of the query does:

  1. Identify Portable Executable Files: The first part of the query looks for files classified as "PortableExecutable" and have an ".exe" extension. It retrieves details like the file name, folder path, and origin URL, focusing on files that have a non-empty origin URL.

  2. Group Portable Files by Download URL: This section groups the identified portable executable files by their download referrer URL, providing a count of files and a list of file names associated with each URL.

  3. Files from PortableApps.com: This part specifically filters and shows files that were downloaded from the website "portableapps.com", a known source for portable applications.

  4. Executed Portable Apps from User Folders: It lists portable applications that have been executed from user directories or locations other than standard system directories like Windows, Program Files, or Program Data. This helps identify potentially suspicious activity where portable apps are run from non-standard locations.

  5. Executed Portable Apps with "Portable" in Product Name: Finally, it identifies executed applications that have "portable" in their product name, which can help pinpoint applications explicitly designed to be portable.

Overall, this query helps security analysts detect and investigate the use of portable applications across their network, which could indicate attempts to bypass traditional security measures.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 5, 2025

Tables

DeviceFileEventsDeviceProcessEvents

Keywords

DeviceFileEventsDeviceProcessEventsFileNameFolderPathFileOriginUrlFileOriginReferrerUrlAdditionalFieldsAccountNameAccountUpnProcessVersionInfoProductNameProcessVersionInfoInternalFileNameProcessVersionInfoOriginalFileNameTimeGeneratedAccountSid

Operators

`where``parse_json``has_any``extend``parse_path``project``isnotempty``summarize``make_set``matches regex``startswith``not``<>``==`

MITRE Techniques

Actions

GitHub