Exposing Suspicious Scripting via CrushFTP with Uncoder AI in Microsoft Defender

[post-views]
May 01, 2025 · 3 min read
Exposing Suspicious Scripting via CrushFTP with Uncoder AI in Microsoft Defender

File transfer services like CrushFTP are critical for business operations—but they can also be leveraged as stealthy launchpads for post-exploitation activity. When a server process such as crushftpservice.exe spawns command-line interpreters like powershell.exe , cmd.exe , or bash.exe , it may signal that an attacker is executing commands or deploying payloads under the radar.

In Microsoft Defender for Endpoint, such activity can be captured using Kusto Query Language (KQL). But dissecting the rule logic takes time—especially when multiple process paths and execution patterns are involved.

With Uncoder AI’s Short Summary, analysts no longer need to interpret each condition manually. Instead, they get a clear, immediate explanation.

Uncoder AI Speeds Up KQL Analysis for Suspicious CrushFTP Activity

Exposing Suspicious Scripting via CrushFTP with Uncoder AI in Microsoft Defender

Explore Uncoder AI

Detection Logic Overview

The KQL detection rule triggers when:

  • A process (DeviceProcessEvent) is launched where the initiating process folder path ends with crushftpservice.exe.

  • The new child process’s folder path ends with one of the following scripting or command-line binaries:

    • bash.exe

    • cmd.exe

    • cscript.exe

    • mshta.exe

    • powershell.exe

    • powershell_ise.exe

    • pwsh.exe

    • sh.exe

    • wscript.exe

Each of these executables is commonly abused in post-compromise scenarios to gain shell access, execute scripts, or launch malware.

Input we used (click to show the text)

(ParentBaseFileName=/crushftpservice\.exe$/i ((ImageFileName=/\\bash\.exe$/i or ImageFileName=/\\cmd\.exe$/i or ImageFileName=/\\cscript\.exe$/i or ImageFileName=/\\mshta\.exe$/i or ImageFileName=/\\powershell\.exe$/i or ImageFileName=/\\powershell\_ise\.exe$/i or ImageFileName=/\\pwsh\.exe$/i or ImageFileName=/\\sh\.exe$/i or ImageFileName=/\\wscript\.exe$/i) or (ApplicationName=/\\bash\.exe$/i or ApplicationName=/\\cmd\.exe$/i or ApplicationName=/\\cscript\.exe$/i or ApplicationName=/\\mshta\.exe$/i or ApplicationName=/\\powershell\.exe$/i or ApplicationName=/\\powershell\_ise\.exe$/i or ApplicationName=/\\pwsh\.exe$/i or ApplicationName=/\\sh\.exe$/i or ApplicationName=/\\wscript\.exe$/i)))

What Uncoder AI’s Summary Delivered

Here’s how Uncoder AI simplified the logic:

“This Microsoft Defender for Endpoint KQL (Kusto Query Language) query detects potential malicious activity by identifying device process events where the initiating process is crushftpservice.exe and the executed process is a known command-line interpreter or scripting engine, such as bash.exe , cmd.exe, powershell.exe, etc.”

Instead of reviewing regex-heavy folder path logic, analysts instantly understand the behavior being flagged—from launch source to execution intent.

AI Output (click to show the text)

This Microsoft Defender for Endpoint KQL (Kusto Query Language) query detects potential malicious activity by identifying device process events where the initiating process is `crushftpservice.exe` and the executed process is a known command-line interpreter or scripting engine, such as `bash.exe`, `cmd.exe`, `powershell.exe`, etc.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts