Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Uncommon Windows process started from System folder

Back
Id16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43
RulenameCyberArkEPM - Uncommon Windows process started from System folder
DescriptionDetects when uncommon windows proccess is started from System folder.
SeverityMedium
TacticsExecution
DefenseEvasion
TechniquesT1204
T1036
Required data connectorsCyberArkEPM
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMNewProcessStartetFromSystem.yaml
Version1.0.0
Arm template16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43.json
Deploy To Azure
let lb_period = 14d;
let q_time = 1h;
let sys_proc = CyberArkEPM
| where TimeGenerated between (ago(lb_period) .. ago(q_time))
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName has_any ('System32', 'SysWOW64')
| summarize makeset(ActingProcessFileInternalName);
CyberArkEPM
| where TimeGenerated > ago(q_time)
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName has_any ('System32', 'SysWOW64')
| where ActingProcessFileInternalName !in (sys_proc)
| extend AccountCustomEntity = ActorUsername
name: CyberArkEPM - Uncommon Windows process started from System folder
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1204
- T1036
version: 1.0.0
description: |
    'Detects when uncommon windows proccess is started from System folder.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMNewProcessStartetFromSystem.yaml
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
tactics:
- Execution
- DefenseEvasion
queryPeriod: 14d
query: |
  let lb_period = 14d;
  let q_time = 1h;
  let sys_proc = CyberArkEPM
  | where TimeGenerated between (ago(lb_period) .. ago(q_time))
  | where EventSubType != 'AttackAttempt'
  | where ActingProcessName has @'\'
  | where ActingProcessName has_any ('System32', 'SysWOW64')
  | summarize makeset(ActingProcessFileInternalName);
  CyberArkEPM
  | where TimeGenerated > ago(q_time)
  | where EventSubType != 'AttackAttempt'
  | where ActingProcessName has @'\'
  | where ActingProcessName has_any ('System32', 'SysWOW64')
  | where ActingProcessFileInternalName !in (sys_proc)
  | extend AccountCustomEntity = ActorUsername  
kind: Scheduled
triggerThreshold: 0
id: 16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43')]",
      "properties": {
        "alertRuleTemplateName": "16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43",
        "customDetails": null,
        "description": "'Detects when uncommon windows proccess is started from System folder.'\n",
        "displayName": "CyberArkEPM - Uncommon Windows process started from System folder",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMNewProcessStartetFromSystem.yaml",
        "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet sys_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName has_any ('System32', 'SysWOW64')\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName has_any ('System32', 'SysWOW64')\n| where ActingProcessFileInternalName !in (sys_proc)\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1036",
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}