Update FileExecutionWithOneCharacterInTheName.yaml

2023-04-26 09:46:48 +05:30 · 2023-04-26 09:46:48 +05:30 · e976f27d56
--- a/Queries/FileExecutionWithOneCharacterInTheName.yaml
+++ b/Queries/FileExecutionWithOneCharacterInTheName.yaml
@ -19,7 +19,7 @@ query: |
  | where CommandLine matches regex @'\\[a-zA-Z0-9]\.[a-zA-Z0-9]{2,5}["]{1}'
  | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'Description">' Description "<" * 'OriginalFileName">' OriginalFileName "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'IntegrityLevel">' IntegrityLevel "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes
-  | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), UserName = tostring(split(User, '\\', 1)[0])
+  | extend NTDomain = tostring(split(User, '\\', 0)[0]), UserName = tostring(split(User, '\\', 1)[0])
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
  | extend Account_0_Name = UserName
  | extend Account_0_NTDomain = NTDomain