Near Real Time NRT Custom Defender XDR Detection Isolation For Windows Whatsapp Security Risk
Query
// Near real-time (NRT) custom DefenderXDR detection & isolation for Windows Whatsapp security risk
// https://www.linkedin.com/posts/activity-7222989513491460096-7M9Y/
Trigger & isolate device:
DeviceFileEvents
| where ActionType == "FileCreated"
| where InitiatingProcessFileName contains "WhatsApp.exe"
| where FileName endswith ".pyz" or FileName endswith ".pyzw" or FileName endswith ".php"
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1059.007 - Command and Scripting Interpreter: JavaScript/JScript: The detection of file extensions like .pyz and .pyzw suggests the creation of Python-related files, which can be used for scripting and automation1.
// T1105 - Ingress Tool Transfer: The creation of .php files could indicate the transfer of web shells or other malicious scripts onto the system2.
// T1071.001 - Application Layer Protocol: Web Protocols: WhatsApp.exe initiating these file creations might indicate the use of web protocols for communication or data transfer3.Explanation
This query is designed to detect and isolate potential security risks related to the use of WhatsApp on Windows devices. It specifically looks for instances where a file is created by a process named "WhatsApp.exe" and the file has certain extensions (.pyz, .pyzw, or .php). These extensions are associated with scripting and web-related files, which could indicate suspicious activity.
The query is mapped to certain MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
-
T1059.007 - Command and Scripting Interpreter: JavaScript/JScript: The detection of files with extensions like .pyz and .pyzw suggests the creation of Python-related files, which might be used for scripting and automation.
-
T1105 - Ingress Tool Transfer: The creation of .php files could indicate the transfer of web shells or other malicious scripts onto the system.
-
T1071.001 - Application Layer Protocol: Web Protocols: The involvement of WhatsApp.exe in creating these files might suggest the use of web protocols for communication or data transfer.
In summary, this query is part of a near real-time detection system that identifies and isolates devices potentially at risk due to suspicious file creation activities associated with WhatsApp on Windows.
