SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Identifying Split or Part Archive File Transfers

Detecting split or part archive files in a dataset can be useful for identifying potential data exfiltration or malicious activity. The following is a KQL query that works with the DeviceFileEvents table in Microsoft Sentinel to discover split or part archive files based on naming patterns:

// Define patterns for split or part archive file names
let SplitArchivePatterns = dynamic(["*.part*", "*.zip.*", "*.rar.*", "*.z*.*", "*.tar.*", "*.gz.*"]);
// Query the FileEvents table
DeviceFileEvents
| extend FileExtension = tolower(split(FileName, ".")[-1]) // Extract file extension
| where FileName matches regex @"(.*\.(part[0-9]+|zip\.[0-9]+|rar\.[0-9]+|z\.[0-9]+|tar\.[0-9]+|gz\.[0-9]+))$" 
      or FileName has_any (SplitArchivePatterns) // Match patterns or dynamic list
| summarize
    TotalFiles = count(),
    UniqueDevices = dcount(DeviceName),
    UniqueUsers = dcount(RequestAccountName),
    FileSizeSum = sum(FileSize)
    by FileName, FolderPath, FileExtension, bin(Timestamp, 1h)
| order by TotalFiles desc
| project Timestamp, FileName, FolderPath, FileExtension, TotalFiles, UniqueDevices, UniqueUsers, FileSizeSum

Explanation:

  1. Patterns for Split/Part Files:

    • SplitArchivePatterns: Defines patterns that identify split or part archive files, such as .part1, .zip.001, .rar.002, .z.003, etc.

    • Uses matches regex and has_any for flexible pattern matching.

  2. File Extension Extraction:

    • Extracts the file extension from the FileName field using split() and converts it to lowercase for case-insensitive comparison.

  3. Filters:

    • Filters the FileName field to match naming conventions for split or part archive files using matches regex or the predefined pattern list.

  4. Aggregation:

    • Summarises:

      • TotalFiles: Number of files matching the pattern.

      • UniqueDevices: Number of unique devices involved.

      • UniqueUsers: Number of distinct users associated with the files.

      • FileSizeSum: Sum of file sizes for the detected files.

  5. Time Binning:

    • Group results into 1-hour intervals using bin(Timestamp, 1h) for temporal analysis.

  6. Results:

    • Displays key fields such as Timestamp, FileName, FilePath, FileExtension, TotalFiles, UniqueDevices, UniqueUsers, and FileSizeSum.

Customisation:

  • Patterns:

    • Add or modify patterns in SplitArchivePatterns to align with your organisation's requirements.

  • Time Filtering:

    • Add a specific time range filter, e.g., | where Timestamp between (startTime .. endTime).

  • Additional Fields:

    • Include fields like UserPrincipalName, SourceIP, or DestinationIP for more context.

This query can help detect potentially suspicious activity related to split or part archive files in your environment.

PreviousIdentifying Interactive or RemoteInteractive Session From Service AccountNextDetect Potential Cleartext Credentials in Command Line

Last updated