EXPLORE
Sign In
← Back to Explore
kqlHunting

Executables in AppData Local Roaming

Remains a common TTP despite other user writtable and executable paths in windows

Detection Query

//Remains a common TTP despite other user writtable and executable paths in windows
//Once hunted, consider checking out AaronLocker which is a Applocker Strategy
DeviceProcessEvents
| where InitiatingProcessFolderPath contains "\\appdata\\roaming\\" and InitiatingProcessFileName has_any (".exe",".ps1",".msi",".bat",".scr",".cmd",".inf",".cab",".iso",".dll",".hta",".jar",".msc",".msix",".docm",".xlsm",".pif",".ppa",".reg",".scf",".sct",".sys",".vb",".vbe",".vbs",".wsh",".psm1",".py",".js")
| summarize by InitiatingProcessVersionInfoProductName,InitiatingProcessFileName,InitiatingProcessFolderPath,DeviceName, AccountName, ProcessCommandLine
//Lots more executable types can be added not a comprehensive list, filter out as apprioprate

Data Sources

DeviceProcessEvents

Platforms

windows

Tags

defender
Raw Content
//Remains a common TTP despite other user writtable and executable paths in windows
//Once hunted, consider checking out AaronLocker which is a Applocker Strategy
DeviceProcessEvents
| where InitiatingProcessFolderPath contains "\\appdata\\roaming\\" and InitiatingProcessFileName has_any (".exe",".ps1",".msi",".bat",".scr",".cmd",".inf",".cab",".iso",".dll",".hta",".jar",".msc",".msix",".docm",".xlsm",".pif",".ppa",".reg",".scf",".sct",".sys",".vb",".vbe",".vbs",".wsh",".psm1",".py",".js")
| summarize by InitiatingProcessVersionInfoProductName,InitiatingProcessFileName,InitiatingProcessFolderPath,DeviceName, AccountName, ProcessCommandLine
//Lots more executable types can be added not a comprehensive list, filter out as apprioprate