Detecting WafflesExploits Shellcode in Image Files.kql

SlimKQL · Feb 16, 2025 · c67b2e8 · c67b2e8
1 parent 9da4733
commit c67b2e8
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/DefenderXDR/Detecting WafflesExploits Shellcode in Image Files.kql b/DefenderXDR/Detecting WafflesExploits Shellcode in Image Files.kql
@@ -0,0 +1,12 @@
+// Detecting WafflesExploits Shellcode in Image Files
+// https://wafflesexploits.github.io/posts/Hide_a_Payload_in_Plain_Sight_Embedding_Shellcode_in_a_Image_file/
+
+let ImageExtension = dynamic([".apng", ".png", ".avif", ".gif", ".jpg", ".jpeg", ".jfif", ".pjpeg", ".pjp", ".png", ".svg", ".webp", ".bmp", ".tif", ".tiff"]);
+let CPPId = dynamic(["Microsoft Visual C++"]);
+let WhiteListedFileName = dynamic(["logo.png","vcredist.bmp","watermark.bmp","header.bmp","SplashScreen.bmp"]);
+DeviceFileEvents
+| where InitiatingProcessVersionInfoFileDescription has_any(CPPId)
+| where ActionType == @"FileCreated"
+| where FileName has_any(ImageExtension)
+| where not(FileName has_any(WhiteListedFileName))
+