Defender-DeviceFileEvents

5 ActionTypes

ActionType	Title
any	File activity (any)
FileCreated	File created
FileModified	File modified
FileDeleted	File deleted
FileRenamed	File renamed

any: File activity (any)

Table: DeviceFileEvents

Description

File activity (any)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ActionType`
`FileName`
`FolderPath`
`SHA256`
`FileSize`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`
`InitiatingProcessAccountName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	contains	`.bat`	1 rule	elastic, kusto, sigma
`CommandLine`	contains	`accepteula`	1 rule	kusto, sigma, splunk
`SourceSeverity`	eq	`High`	1 rule	kusto
`file_name`	ends_with	`.exe`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Remote File Creation with PsExec source high: This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. Ryuk operators use PsExec to manually spread the ransomware to other devices. The following query detects remote file creation events that might indicate an active attack. The See also section below lists links to other queries associated with Ryuk ransomware. References: https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk.AA https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ https://docs.microsoft.com/sysinternals/downloads/psexec
SUNBURST and SUPERNOVA backdoor hashes source high: Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
VTI - High Severity SHA1 Collision Detection source high: This will alert when a collision is detected for DeviceFileEvents events with VTI high severity SHA1 IoCs

Show 1 more (4 total)

Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/

FileCreated: File created

Table: DeviceFileEvents

Description

File created

Fields #

Name	Description	Rules
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`		1 detection rule
`SHA256`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`FileCreated`	4 rules	kusto
`EventType`	eq	`ProcessCreated`	2 rules	kusto
`EventType`	in	`FileCreated`	1 rule	kusto
`EventType`	in	`FileModified`	1 rule	kusto
`EventType`	in	`FileRenamed`	1 rule	kusto
`file_name`	contains	`.bat`	1 rule	kusto
`file_name`	contains	`.cmd`	1 rule	kusto
`file_name`	contains	`.com`	1 rule	kusto
`file_name`	contains	`.cpl`	1 rule	kusto
`file_name`	contains	`.dll`	1 rule	kusto
`file_name`	contains	`.exe`	1 rule	kusto
`file_name`	contains	`.vbs`	1 rule	kusto
`file_name`	ends_with	`.dll`	1 rule	kusto, splunk
`file_name`	ends_with	`.exe`	1 rule	kusto
`parent_process_name`	eq	`customscripthandler.exe`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

PE file dropped in Color Profile Folder source medium: This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
Dev-0530 File Extension Rename source high: Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.
Files Copied to USB Drives source high: This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.

Show 4 more (7 total)

Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.
Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matches FileRenamed: File renamed
WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches FileModified: File modified, FileRenamed: File renamed
Detect executable drops via Azure custom script extension source: This detection rule flags when the Custom Script extension service on a machine is dropping executable files. This might indicate that an actor is trying to drop malware or beacons via a compromised cloud admin account. In the most legitimate cases administrators are pushing only PowerShell or Shell scripts, although these can also contain malicious content. Be aware of this gap in the below detection rule.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/

FileModified: File modified

Table: DeviceFileEvents

Description

File modified. Sysmon-2 fires on FileCreateTime change specifically; Defender's FileModified is broader. Approximate bridge.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA256`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`FileCreated`	1 rule	kusto
`EventType`	in	`FileModified`	1 rule	kusto
`EventType`	in	`FileRenamed`	1 rule	kusto
`parent_process_name`	eq	`wsmprovhost.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches FileCreated: File created, FileRenamed: File renamed

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/

FileDeleted: File deleted

Table: DeviceFileEvents

Description

File deleted

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/

FileRenamed: File renamed

Table: DeviceFileEvents

Description

File renamed. No clean Windows-native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`PreviousFileName`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`FileCreated`	1 rule	kusto
`EventType`	in	`FileModified`	1 rule	kusto
`EventType`	in	`FileRenamed`	1 rule	kusto
`parent_process_name`	eq	`wsmprovhost.exe`	1 rule	elastic, kusto, splunk
`parent_process_name`	in	`excel.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`outlook.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`powerpnt.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`winword.exe`	1 rule	kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

ASR Bypassing Writing Executable Content source medium: The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matches FileCreated: File created
WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches FileCreated: File created, FileModified: File modified

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicefileevents/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Defender-DeviceFileEvents

any: File activity (any)

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

FileCreated: File created

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

FileModified: File modified

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

FileDeleted: File deleted

Description

Fields #

References #

FileRenamed: File renamed

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

Keyboard shortcuts

Search operators