Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

New EXE deployed via Default Domain or Default Domain Controller Policies ASIM Version

Back
Id0dd2a343-4bf9-4c93-a547-adf3658ddaec
RulenameNew EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
DescriptionThis detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.

A threat actor may use these policies to deploy files or scripts to all hosts in a domain.

This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization
SeverityHigh
TacticsExecution
LateralMovement
TechniquesT1072
T1570
Required data connectorsSecurityEvents
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml
Version1.0.5
Arm template0dd2a343-4bf9-4c93-a547-adf3658ddaec.json
Deploy To Azure
let known_processes = (
  imProcess
  // Change these values if adjusting Query Frequency or Query Period
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | summarize by Process);
  imProcess
  // Change these values if adjusting Query Frequency or Query Period
  | where TimeGenerated > ago(1d)
  | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | where Process !in (known_processes)
  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
  | extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
  | project-away DomainIndex
queryPeriod: 14d
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvents
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml
tactics:
- Execution
- LateralMovement
triggerOperator: gt
metadata:
  source:
    kind: Community
  author:
    name: Microsoft Security Community
  categories:
    domains:
    - Security - Threat Protection
  support:
    tier: Community
severity: High
name: New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
relevantTechniques:
- T1072
- T1570
query: |
  let known_processes = (
    imProcess
    // Change these values if adjusting Query Frequency or Query Period
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | summarize by Process);
    imProcess
    // Change these values if adjusting Query Frequency or Query Period
    | where TimeGenerated > ago(1d)
    | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | where Process !in (known_processes)
    | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
    | extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
    | project-away DomainIndex  
queryFrequency: 1d
id: 0dd2a343-4bf9-4c93-a547-adf3658ddaec
version: 1.0.5
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: DvcHostname
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
  entityType: Host
description: |
  'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.
    A threat actor may use these policies to deploy files or scripts to all hosts in a domain.
    This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0dd2a343-4bf9-4c93-a547-adf3658ddaec')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0dd2a343-4bf9-4c93-a547-adf3658ddaec')]",
      "properties": {
        "alertRuleTemplateName": "0dd2a343-4bf9-4c93-a547-adf3658ddaec",
        "customDetails": null,
        "description": "'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\n  A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\n  This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'\n",
        "displayName": "New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml",
        "query": "let known_processes = (\n  imProcess\n  // Change these values if adjusting Query Frequency or Query Period\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where Process has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | summarize by Process);\n  imProcess\n  // Change these values if adjusting Query Frequency or Query Period\n  | where TimeGenerated > ago(1d)\n  | where Process has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | where Process !in (known_processes)\n  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\n  | extend HostName = tostring(split(DvcHostname, \".\")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))\n  | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\n  | project-away DomainIndex\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "LateralMovement"
        ],
        "techniques": [
          "T1072",
          "T1570"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}