← Back to SOC feed Coverage →

Query Usage To Exfil Data

sigma MEDIUM SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects usage of “query.exe” a system binary to exfil information such as “sessions” and “processes” for later use

Detection Rule

Sigma (Original)

title: Query Usage To Exfil Data
id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2
status: test
description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
references:
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-01-19
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: ':\Windows\System32\query.exe'
        CommandLine|contains:
            - 'session >'
            - 'process >'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith ":\\Windows\\System32\\query.exe" and (TargetProcessCommandLine contains "session >" or TargetProcessCommandLine contains "process >")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml