Suspicious Explorer Child Process
Query
let Parameters = dynamic(['http', 'https', 'Encoded', 'EncodedCommand', '-e', '-eC', '-enc', "-w", "://"]);
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName =~ "explorer.exe" or InitiatingProcessVersionInfoOriginalFileName =~ "explorer.exe"
| where FileName in~ (SuspiciousChildProcesses) or ProcessVersionInfoOriginalFileName in~ (SuspiciousChildProcesses)
| where ProcessCommandLine has_any (Parameters)
| project-reorder Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileNameAbout this query
Explanation
This query is designed to detect potentially malicious activity on a computer system by monitoring processes initiated by Windows Explorer (explorer.exe). It specifically looks for suspicious child processes that are commonly used to execute or install commands, which could indicate malware activity.
Here's a simple breakdown of what the query does:
-
Suspicious Child Processes: The query identifies child processes of
explorer.exethat are known to be used for executing scripts or commands. These includecmd.exe,powershell.exe,bash.exe, and others. -
Suspicious Parameters: It checks if the command line of these child processes contains certain suspicious parameters, such as
http,https,Encoded,-e,-enc, and others. These parameters are often used in malicious scripts or commands. -
Filtering and Output: The query filters the events to find matches and then organizes the output to show the timestamp, device name, command line of the process, command line of the initiating process, user account, and the original file name of the process.
The goal of this query is to help security teams identify and investigate potentially harmful activities that could lead to malware installation or other security breaches. It is important to adjust the list of browsers or processes according to the specific environment to reduce false positives.
