Malicious bat file | SOC Hunt Feed

Hunt Hypothesis

A malicious BAT file may be used to execute payloads as part of a ZLoader delivery campaign, indicating potential initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity associated with known malicious campaigns.

KQL Query

DeviceFileEvents
| where FileName endswith '.bat'
    and FolderPath has @'Program Files (x86)\Sun Technology Network\Oracle Java SE'

Analytic Rule Definition

id: c903138d-b948-4975-a660-57495b3f8754
name: Malicious bat file
description: |
  ZLoader was delivered in a campaign in late summer 2021. This campaign was tweeted by @MsftSecIntel on twitter.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Initial access
query: |
  DeviceFileEvents
  | where FileName endswith '.bat'
      and FolderPath has @'Program Files (x86)\Sun Technology Network\Oracle Java SE'

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/ZLoader/Malicious bat file.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate .bat file is used to perform routine system maintenance, such as disk cleanup or log rotation.
Filter/Exclusion: process.parent_process == "Task Scheduler" or process.name == "schtasks.exe"
Scenario: Admin Script for Patch Management
Description: A system administrator uses a .bat script to automate patch installation or software updates.
Filter/Exclusion: process.user == "Administrator" and process.command_line contains "patch" or process.command_line contains "update"
Scenario: PowerShell Integration with Batch File
Description: A .bat file is used to invoke PowerShell scripts for configuration management or system monitoring.
Filter/Exclusion: process.parent_process == "powershell.exe" or process.command_line contains "powershell"
Scenario: Legacy Application Compatibility Check
Description: A .bat file is used to check compatibility of legacy applications before deployment.
Filter/Exclusion: process.command_line contains "compatibility check" or process.command_line contains "legacy app"
Scenario: User-Initiated Script for Data Backup
Description: A user runs a .bat script to back up data to an external drive or cloud storage.
Filter/Exclusion: process.user == "user_account" and process.command_line contains "backup" or process.command_line contains "copy"