New EXE deployed via Default Domain or Default Domain Controller Policies ASIM Version
| Id | 0dd2a343-4bf9-4c93-a547-adf3658ddaec |
| Rulename | New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) |
| Description | This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain. This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization |
| Severity | High |
| Tactics | Execution LateralMovement |
| Techniques | T1072 T1570 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml |
| Version | 1.0.5 |
| Arm template | 0dd2a343-4bf9-4c93-a547-adf3658ddaec.json |
let known_processes = (
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated between(ago(14d)..ago(1d))
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| summarize by Process);
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated > ago(1d)
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| where Process !in (known_processes)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
| extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
| project-away DomainIndex
relevantTechniques:
- T1072
- T1570
name: New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
requiredDataConnectors:
- dataTypes:
- SecurityEvents
connectorId: SecurityEvents
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DvcHostname
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
entityType: Host
triggerThreshold: 0
id: 0dd2a343-4bf9-4c93-a547-adf3658ddaec
tactics:
- Execution
- LateralMovement
version: 1.0.5
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml
queryPeriod: 14d
kind: Scheduled
metadata:
categories:
domains:
- Security - Threat Protection
author:
name: Microsoft Security Community
support:
tier: Community
source:
kind: Community
queryFrequency: 1d
severity: High
description: |
'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.
A threat actor may use these policies to deploy files or scripts to all hosts in a domain.
This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'
query: |
let known_processes = (
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated between(ago(14d)..ago(1d))
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| summarize by Process);
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated > ago(1d)
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| where Process !in (known_processes)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
| extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
| project-away DomainIndex
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0dd2a343-4bf9-4c93-a547-adf3658ddaec')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0dd2a343-4bf9-4c93-a547-adf3658ddaec')]",
"properties": {
"alertRuleTemplateName": "0dd2a343-4bf9-4c93-a547-adf3658ddaec",
"customDetails": null,
"description": "'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'\n",
"displayName": "New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml",
"query": "let known_processes = (\n imProcess\n // Change these values if adjusting Query Frequency or Query Period\n | where TimeGenerated between(ago(14d)..ago(1d))\n | where Process has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n | summarize by Process);\n imProcess\n // Change these values if adjusting Query Frequency or Query Period\n | where TimeGenerated > ago(1d)\n | where Process has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n | where Process !in (known_processes)\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\n | extend HostName = tostring(split(DvcHostname, \".\")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\n | project-away DomainIndex\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution",
"LateralMovement"
],
"techniques": [
"T1072",
"T1570"
],
"templateVersion": "1.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}