From 76f1df9d3fa7a88afbf2301e6f6a50a812a33ace Mon Sep 17 00:00:00 2001
From: Tommy Tri <167770340+tommytri@users.noreply.github.com>
Date: Sat, 14 Jun 2025 12:32:42 +0700
Subject: [PATCH 1/2] Create Suspicious VHD driver loading activities

add suspicious vhd driver (detect phishing/malware via VHD files)
---
 .../Suspicious VHD driver loading activities    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 DefenderXDR/Suspicious VHD driver loading activities

diff --git a/DefenderXDR/Suspicious VHD driver loading activities b/DefenderXDR/Suspicious VHD driver loading activities
new file mode 100644
index 0000000..3b3d579
--- /dev/null
+++ b/DefenderXDR/Suspicious VHD driver loading activities	
@@ -0,0 +1,17 @@
+// Update your monitored applications and your filter to match with your organization's businesses
+let monitoredApplications = dynamic(["outlook.exe", "firefox.exe", "chrome.exe", "msedge.exe", "opera.exe", "coccoc.exe", "brave.exe", "chromium.exe","discord.exe", "viber.exe", "zalo.exe", "line.exe", "telegram.exe"]);
+let fileCreationEvents = DeviceFileEvents
+    | where FileName endswith ".img" or FileName endswith ".iso" or FileName endswith ".vhd"
+    | where InitiatingProcessFileName in (monitoredApplications)
+    | project DeviceId, DeviceName, InitiatingProcessFileName,ActionType, FileCreationTimeName=FileName, FileCreationTimestamp=Timestamp,ReportId;
+let driverLoadEvents = DeviceEvents
+    | where ActionType == "DriverLoad"
+    | where FileName in ("cdfs.sys", "fsdepends.sys", "vhdmp.sys")
+    | project DeviceId, DeviceName, ActionType, DriverLoadFileName=FileName, DriverLoadTimestamp=Timestamp;
+fileCreationEvents
+    | join kind=inner (
+        driverLoadEvents
+    ) on DeviceId
+    | where DriverLoadTimestamp > FileCreationTimestamp and DriverLoadTimestamp <= FileCreationTimestamp + 30m
+    | project DeviceId, DeviceName, InitiatingProcessFileName,FileCreationTimestamp, FileCreationTimeName, DriverLoadTimestamp, DriverLoadFileName, ReportId
+    | extend Timestamp=FileCreationTimestamp

From 0b8810931ccdc5b9302a0b3f23fb3663e1866d85 Mon Sep 17 00:00:00 2001
From: Tommy Tri <167770340+tommytri@users.noreply.github.com>
Date: Sat, 14 Jun 2025 12:41:12 +0700
Subject: [PATCH 2/2] Rename Suspicious VHD driver loading activities to
 Suspicious VHD driver loading activities.kql

rename to highlight
---
 ...ng activities => Suspicious VHD driver loading activities.kql} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename DefenderXDR/{Suspicious VHD driver loading activities => Suspicious VHD driver loading activities.kql} (100%)

diff --git a/DefenderXDR/Suspicious VHD driver loading activities b/DefenderXDR/Suspicious VHD driver loading activities.kql
similarity index 100%
rename from DefenderXDR/Suspicious VHD driver loading activities
rename to DefenderXDR/Suspicious VHD driver loading activities.kql