Microsoft Sentinel - Hunting for Single Character Filenames
Hackers, the good ones and the evil ones, are lazy. In the interest of fewer keystrokes they will use filenames with single characters (e.g. "f.exe" or "2.ps1"). So this short but sweet query will help you find potentially problematic executables: let allowlist = datatable (DName:string) ['because you are going to have exceptions','Put em here']; let allowarray = allowlist | summarize make_set(DName); DeviceProcessEvents | where FileName matches regex @'^.\.[eE][xX][eE]' or FileName matches regex @'^.\.[pP][sS][0-9]' or FileName matches regex @'^.\.[cC][mM][dD]' or FileName matches regex @'^.\.[cC][oO][mM]' | where SHA1 !in (allowarray) | project AccountName, DeviceName, SHA1, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessAccountUpn I was reminded of this when reading this tweet from @GossiTheDog and @h2jazi, but please note that the above query will NOT de...