Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

New EXE deployed via Default Domain or Default Domain Controller Policies

Back
Id05b4bccd-dd12-423d-8de4-5a6fb526bb4f
RulenameNew EXE deployed via Default Domain or Default Domain Controller Policies
DescriptionThis detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.

A threat actor may use these policies to deploy files or scripts to all hosts in a domain.
SeverityHigh
TacticsExecution
LateralMovement
TechniquesT1072
T1570
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml
Version1.0.2
Arm template05b4bccd-dd12-423d-8de4-5a6fb526bb4f.json
Deploy To Azure
let known_processes = (
  SecurityEvent
  // If adjusting Query Period or Frequency update these
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where EventID == 4688
  | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | summarize by Process);
  SecurityEvent
  // If adjusting Query Period or Frequency update these
  | where TimeGenerated > ago(1d)
  | where EventID == 4688
  | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | where Process !in (known_processes)
  // This will likely apply to multiple hosts so summarize these data
  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
name: New EXE deployed via Default Domain or Default Domain Controller Policies
queryFrequency: 1d
tactics:
- Execution
- LateralMovement
relevantTechniques:
- T1072
- T1570
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml
id: 05b4bccd-dd12-423d-8de4-5a6fb526bb4f
queryPeriod: 14d
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
kind: Scheduled
query: |
  let known_processes = (
    SecurityEvent
    // If adjusting Query Period or Frequency update these
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where EventID == 4688
    | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | summarize by Process);
    SecurityEvent
    // If adjusting Query Period or Frequency update these
    | where TimeGenerated > ago(1d)
    | where EventID == 4688
    | where NewProcessName has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | where Process !in (known_processes)
    // This will likely apply to multiple hosts so summarize these data
    | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer
    | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)  
triggerOperator: gt
severity: High
description: |
  'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.
  A threat actor may use these policies to deploy files or scripts to all hosts in a domain.'  
triggerThreshold: 0
version: 1.0.2
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05b4bccd-dd12-423d-8de4-5a6fb526bb4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05b4bccd-dd12-423d-8de4-5a6fb526bb4f')]",
      "properties": {
        "alertRuleTemplateName": "05b4bccd-dd12-423d-8de4-5a6fb526bb4f",
        "customDetails": null,
        "description": "'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.'\n",
        "displayName": "New EXE deployed via Default Domain or Default Domain Controller Policies",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml",
        "query": "let known_processes = (\n  SecurityEvent\n  // If adjusting Query Period or Frequency update these\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where EventID == 4688\n  | where NewProcessName has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | summarize by Process);\n  SecurityEvent\n  // If adjusting Query Period or Frequency update these\n  | where TimeGenerated > ago(1d)\n  | where EventID == 4688\n  | where NewProcessName has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | where Process !in (known_processes)\n  // This will likely apply to multiple hosts so summarize these data\n  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\n  | extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "LateralMovement"
        ],
        "techniques": [
          "T1072",
          "T1570"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}