Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Trusted Developer Utilities Proxy Execution

Trusted Developer Utilities Proxy Execution

Back
Id5c2bb446-926f-4160-a233-21e335c2c290
RulenameTrusted Developer Utilities Proxy Execution
DescriptionThis detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1127
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/TrustedDeveloperUtilitiesProxyExecution.yaml
Version1.0.0
Arm template5c2bb446-926f-4160-a233-21e335c2c290.json
Deploy To Azure
let Timeframe = 1h;
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where (FileName has_any ("msbuild.exe", "msxsl.exe")
or (FileName has_any ("vbc.exe","csc.exe","jsc.exe") and ProcessCommandLine has_any ("/exe","/dll","/pe64","-exe","-dll","-pe64"))
or (FileName == ("ilsasm.exe") and ProcessCommandLine has_any ("out","target","t:","reference","r:")))
// Filter initations by Visual Studio since this is expected behavior.
  and not(FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
  or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
  and (InitiatingProcessFileName == "devenv.exe" or InitiatingProcessFileName == "WDExpress.exe"))

description: |
    This detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/TrustedDeveloperUtilitiesProxyExecution.yaml
severity: Medium
name: Trusted Developer Utilities Proxy Execution
triggerThreshold: 0
queryPeriod: 1h
query: |
  let Timeframe = 1h;
  DeviceProcessEvents
  | where Timestamp > ago(Timeframe)
  | where (FileName has_any ("msbuild.exe", "msxsl.exe")
  or (FileName has_any ("vbc.exe","csc.exe","jsc.exe") and ProcessCommandLine has_any ("/exe","/dll","/pe64","-exe","-dll","-pe64"))
  or (FileName == ("ilsasm.exe") and ProcessCommandLine has_any ("out","target","t:","reference","r:")))
  // Filter initations by Visual Studio since this is expected behavior.
    and not(FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
    or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio" 
    and (InitiatingProcessFileName == "devenv.exe" or InitiatingProcessFileName == "WDExpress.exe"))  
relevantTechniques:
- T1127
id: 5c2bb446-926f-4160-a233-21e335c2c290
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine