Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Trusted Developer Utilities Proxy Execution

Trusted Developer Utilities Proxy Execution

Back
Id5c2bb446-926f-4160-a233-21e335c2c290
RulenameTrusted Developer Utilities Proxy Execution
DescriptionThis detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1127
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/TrustedDeveloperUtilitiesProxyExecution.yaml
Version1.0.0
Arm template5c2bb446-926f-4160-a233-21e335c2c290.json
Deploy To Azure
let Timeframe = 1h;
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where (FileName has_any ("msbuild.exe", "msxsl.exe")
or (FileName has_any ("vbc.exe","csc.exe","jsc.exe") and ProcessCommandLine has_any ("/exe","/dll","/pe64","-exe","-dll","-pe64"))
or (FileName == ("ilsasm.exe") and ProcessCommandLine has_any ("out","target","t:","reference","r:")))
// Filter initations by Visual Studio since this is expected behavior.
  and not(FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
  or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
  and (InitiatingProcessFileName == "devenv.exe" or InitiatingProcessFileName == "WDExpress.exe"))

name: Trusted Developer Utilities Proxy Execution
relevantTechniques:
- T1127
id: 5c2bb446-926f-4160-a233-21e335c2c290
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/TrustedDeveloperUtilitiesProxyExecution.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
version: 1.0.0
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
queryFrequency: 1h
status: Available
query: |
  let Timeframe = 1h;
  DeviceProcessEvents
  | where Timestamp > ago(Timeframe)
  | where (FileName has_any ("msbuild.exe", "msxsl.exe")
  or (FileName has_any ("vbc.exe","csc.exe","jsc.exe") and ProcessCommandLine has_any ("/exe","/dll","/pe64","-exe","-dll","-pe64"))
  or (FileName == ("ilsasm.exe") and ProcessCommandLine has_any ("out","target","t:","reference","r:")))
  // Filter initations by Visual Studio since this is expected behavior.
    and not(FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
    or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
    and (InitiatingProcessFileName == "devenv.exe" or InitiatingProcessFileName == "WDExpress.exe"))  
tactics:
- DefenseEvasion
kind: Scheduled
description: |
    This detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
triggerOperator: gt