let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access.
// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization.
let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe",
"Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]);
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and
FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
| project-rename ProcessStart_Timestamp = Timestamp
description: |
The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: AccountSid
identifier: Sid
- columnName: AccountName
identifier: Name
- columnName: AccountDomain
identifier: NTDomain
entityType: Account
- fieldMappings:
- columnName: ProcessCommandLine
identifier: CommandLine
entityType: Process
query: |
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access.
// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization.
let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe",
"Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]);
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and
FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
| project-rename ProcessStart_Timestamp = Timestamp
tactics:
- InitialAccess
severity: Medium
triggerThreshold: 0
queryFrequency: 1h
status: Available
queryPeriod: 1h
relevantTechniques:
- T1566.002
id: 5ee34fa1-64ed-48c7-afa2-794b244f6c60
name: Suspicious parentprocess relationship - Office child processes.
kind: Scheduled
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
