let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access.
// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization.
let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe",
"Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]);
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and
FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
| project-rename ProcessStart_Timestamp = Timestamp
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml
queryPeriod: 1h
version: 1.0.1
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
entityType: Host
- fieldMappings:
- identifier: Sid
columnName: AccountSid
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
entityType: Account
- fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
entityType: Process
relevantTechniques:
- T1566.002
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
query: |
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access.
// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization.
let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe",
"Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]);
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and
FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
| project-rename ProcessStart_Timestamp = Timestamp
id: 5ee34fa1-64ed-48c7-afa2-794b244f6c60
tactics:
- InitialAccess
status: Available
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
triggerThreshold: 0
name: Suspicious parentprocess relationship - Office child processes.
severity: Medium
description: |
The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.
