New EXE deployed via Default Domain or Default Domain Controller Policies

let known_processes = (
  SecurityEvent
  // If adjusting Query Period or Frequency update these
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where EventID == 4688
  | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | summarize by Process);
  SecurityEvent
  // If adjusting Query Period or Frequency update these
  | where TimeGenerated > ago(1d)
  | where EventID == 4688
  | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | where Process !in (known_processes)
  // This will likely apply to multiple hosts so summarize these data
  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer

severity: High
triggerThreshold: 0
query: |
  let known_processes = (
    SecurityEvent
    // If adjusting Query Period or Frequency update these
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where EventID == 4688
    | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | summarize by Process);
    SecurityEvent
    // If adjusting Query Period or Frequency update these
    | where TimeGenerated > ago(1d)
    | where EventID == 4688
    | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | where Process !in (known_processes)
    // This will likely apply to multiple hosts so summarize these data
    | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer  
queryFrequency: 1d
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
id: 05b4bccd-dd12-423d-8de4-5a6fb526bb4f
version: 1.0.1
name: New EXE deployed via Default Domain or Default Domain Controller Policies
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml
queryPeriod: 14d
relevantTechniques:
- T1072
- T1570
triggerOperator: gt
tactics:
- Execution
- LateralMovement
description: |
  'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.
  A threat actor may use these policies to deploy files or scripts to all hosts in a domain.'  
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05b4bccd-dd12-423d-8de4-5a6fb526bb4f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05b4bccd-dd12-423d-8de4-5a6fb526bb4f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "New EXE deployed via Default Domain or Default Domain Controller Policies",
        "description": "'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let known_processes = (\n  SecurityEvent\n  // If adjusting Query Period or Frequency update these\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where EventID == 4688\n  | where NewProcessName has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | summarize by Process);\n  SecurityEvent\n  // If adjusting Query Period or Frequency update these\n  | where TimeGenerated > ago(1d)\n  | where EventID == 4688\n  | where NewProcessName has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | where Process !in (known_processes)\n  // This will likely apply to multiple hosts so summarize these data\n  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "LateralMovement"
        ],
        "techniques": [
          "T1072",
          "T1570"
        ],
        "alertRuleTemplateName": "05b4bccd-dd12-423d-8de4-5a6fb526bb4f",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}