Malware infection often involves scripts, executables, and payloads designed to compromise systems, execute commands, or maintain persistence. These infections can lead to lateral movement, data theft, or further compromises within the network.
Below are 25 Example Queries for Malware Infection Detection:
Detect Suspicious PowerShell Commands (Encoded Commands)PowerShell-encoded commands often indicate obfuscation used in malware payloads.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "encodedCommand" | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system"| summarize count() by TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Note: The following is an example of how to decode PowerShell-encoded commands:
# Example encoded string
$EncodedCommand = "enter encoded string"
# Convert from Base64 to bytes
$Bytes = [System.Convert]::FromBase64String($EncodedCommand)
# Convert bytes to string (UTF-16 LE)
$DecodedCommand = [System.Text.Encoding]::Unicode.GetString($Bytes)
# Output the decoded command
Write-Output $DecodedCommand
Identify Execution of Suspicious EXEs from Temp DirectoriesMalware often resides in temp directories before execution.
DeviceProcessEvents | where FileName endswith ".exe" and FolderPath contains "Temp" | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" | where FileName !in~ ("DismHost.exe", "Update.exe") and FolderPath startswith "C:\\Windows\\Temp\\" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Track Use of MSHTA for Malicious Script ExecutionMSHTA is frequently abused to execute malicious scripts.
DeviceProcessEvents | where FileName == "mshta.exe" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Detect Rundll32 Execution of Malicious DLLsRundll32 is often used to execute malicious DLLs, a common malware technique.
DeviceProcessEvents | where FileName == "rundll32.exe" and ProcessCommandLine has ".dll" | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" and InitiatingProcessAccountName !="local service" and InitiatingProcessAccountName !="lokaler dienst" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Monitor Execution of Suspicious Scripting EnginesMalicious scripts may be executed via WScript or CScript.
DeviceProcessEvents | where FileName in ("wscript.exe", "cscript.exe") | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" and InitiatingProcessAccountName !="local service" and InitiatingProcessAccountName !="lokaler dienst" and InitiatingProcessAccountName !startswith "sys" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Track EXE File Downloads and Execution via CertUtilCertUtil is often abused to download malware payloads.
DeviceProcessEvents | where FileName == "certutil.exe" and ProcessCommandLine has "URL" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Identify the Use of LOLBins (Living Off the Land Binaries)Standard system binaries like bitsadmin and msiexec are often used in attacks.
DeviceProcessEvents | where FileName in ("bitsadmin.exe", "msiexec.exe") | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" and InitiatingProcessAccountName !="local service" and InitiatingProcessAccountName !="lokaler dienst" and InitiatingProcessAccountName !startswith "sys" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Detect Creation of Suspicious Scheduled TasksMalware often uses scheduled tasks for persistence.
DeviceProcessEvents | where FileName == "schtasks.exe" and ProcessCommandLine has "create" | where InitiatingProcessAccountName !="system" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Monitor PowerShell Script Downloads via Invoke-WebRequestInvoke-WebRequest is used to download malicious scripts from the internet.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Invoke-WebRequest" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Track Suspicious Use of Bitsadmin for File TransfersBitsadmin is sometimes leveraged to download or upload malicious files.
DeviceProcessEvents | where FileName == "bitsadmin.exe" and ProcessCommandLine has "transfer" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
Detect New EXE Files in User DirectoriesNew EXE files appearing in user directories may indicate malware delivery.
DeviceFileEvents | where FileName endswith ".exe" and FolderPath contains "Users" | where InitiatingProcessAccountName != "system"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath
Monitor Process Spawning from Office ApplicationsMalicious macros in Office documents may spawn child processes.
DeviceProcessEvents | where InitiatingProcessFileName in ("winword.exe", "excel.exe", "powerpnt.exe")| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath
Detect the Use of Task Scheduler to Maintain PersistenceScheduled tasks can be created by malware to ensure persistence.
DeviceProcessEvents | where FileName == "schtasks.exe" and ProcessCommandLine has_any ("create", "add") | where InitiatingProcessAccountName != "system"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Identify Script Execution via CMD (Batch Scripts)CMD can be used to execute batch scripts in malware infections.
DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has_any (".bat", "start") | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName !startswith "svc-wc" and InitiatingProcessAccountName !startswith "sys_"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Track PowerShell Use of Bypass Execution PoliciesMalicious PowerShell scripts often bypass execution policies.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "-ExecutionPolicy Bypass" | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName !startswith "sys_" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Detect DLL Side-Loading or InjectionDLL injection or side-loading is used to execute malicious code within trusted processes.
DeviceProcessEvents | where FileName == "rundll32.exe" and ProcessCommandLine has ".dll" | where InitiatingProcessAccountName !="system" and InitiatingProcessAccountName != "lokaler dienst" and InitiatingProcessAccountName != "local service" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Monitor Unusual Use of MSBuild for Malware ExecutionMSBuild is sometimes leveraged to execute code or load malware.
DeviceProcessEvents | where FileName == "MSBuild.exe" | where InitiatingProcessAccountName !startswith "sys_" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Detect Use of Hidden Windows for Malware Persistence (explorer.exe)Malware can use hidden windows to hide its execution from the user.
DeviceProcessEvents | where FileName == "explorer.exe" and ProcessCommandLine has "hidden" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Monitor Suspicious Use of CMD for File DeletionMalware may delete files to cover its tracks using the "del" command.
DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has "del" | where InitiatingProcessAccountName != "system" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Track Use of Remote Desktop Protocol for Malicious AccessRDP is often used to access compromised systems remotely.
DeviceLogonEvents | where LogonType == "RemoteInteractive" and ActionType == "LogonSuccess" | where AccountName !startswith "sys_" | summarize count() by AccountName, DeviceName, RemoteIP, IsLocalAdmin, LogonType, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath
Detect Powershell Execution Using Uncommon FlagsMalicious scripts may use uncommon flags to bypass detection (e.g., -windowstyle hidden).
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "-windowstyle hidden" | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName != "network service"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Monitor the Use of VSSAdmin for Shadow Copy DeletionMalware (such as ransomware) may delete volume shadow copies to prevent recovery.
DeviceProcessEvents | where FileName == "vssadmin.exe" and ProcessCommandLine has "delete shadows" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
Identify Unusual Network Traffic from Newly Executed BinariesMalware often communicates with external C2 servers after execution.
DeviceNetworkEvents | where InitiatingProcessFileName endswith ".exe" and RemoteUrl != "" | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName != "network service" and InitiatingProcessAccountName != "lokaler dienst" and InitiatingProcessAccountName != "netzwerkdienst" | summarize count() by DeviceName, ActionType, RemoteIP, LocalIP, RemotePort, RemoteUrl, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessParentFileName
Detect Execution of Signed Binaries Used by AttackersAttackers may abuse trusted signed binaries for malicious purposes (e.g., regsvr32, msiexec).
DeviceProcessEvents | where FileName in ("regsvr32.exe", "msiexec.exe") | where InitiatingProcessAccountName != "system" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath, InitiatingProcessFolderPath
Monitor the Use of Certutil for Decoding Malicious PayloadsCertutil can be used to decode base64-encoded malicious payloads.
DeviceProcessEvents | where FileName == "certutil.exe" and ProcessCommandLine has "decode" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath, InitiatingProcessFolderPath