Suspicious parentprocess relationship - Office child processes
| Id | 5ee34fa1-64ed-48c7-afa2-794b244f6c60 |
| Rulename | Suspicious parentprocess relationship - Office child processes. |
| Description | The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else. |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1566.002 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml |
| Version | 1.0.0 |
| Arm template | 5ee34fa1-64ed-48c7-afa2-794b244f6c60.json |
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access.
// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization.
let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe",
"Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]);
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and
FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
| project-rename ProcessStart_Timestamp = Timestamp
severity: Medium
triggerThreshold: 0
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
kind: Scheduled
id: 5ee34fa1-64ed-48c7-afa2-794b244f6c60
triggerOperator: gt
tactics:
- InitialAccess
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: AccountSid
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
relevantTechniques:
- T1566.002
version: 1.0.0
queryPeriod: 1h
name: Suspicious parentprocess relationship - Office child processes.
status: Available
description: |
The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually
presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access.
This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.
query: |
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access.
// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization.
let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe",
"Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]);
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and
FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
| project-rename ProcessStart_Timestamp = Timestamp
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5ee34fa1-64ed-48c7-afa2-794b244f6c60')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5ee34fa1-64ed-48c7-afa2-794b244f6c60')]",
"properties": {
"alertRuleTemplateName": "5ee34fa1-64ed-48c7-afa2-794b244f6c60",
"customDetails": null,
"description": "The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually \npresents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. \nThis detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.\n",
"displayName": "Suspicious parentprocess relationship - Office child processes.",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountSid",
"identifier": "Sid"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml",
"query": "let browsers = dynamic([\"iexplore.exe\", \"chrome.exe\", \"firefox.exe\", \"msedge.exe\"]); // Customize this list for your environment.\nlet officeApps = dynamic([\"winword.exe\", \"excel.exe\", \"powerpnt.exe\"]); // Consider adding other Office applications such as Publisher, Visio and Access. \n// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.\n// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization. \nlet allowList = dynamic([\"MSOSYNC.exe\", \"splwow64.exe\", \"csc.exe\", \"outlook.exe\", \"AcroRd32.exe\", \"Acrobat.exe\", \"explorer.exe\", \"DW20.exe\", \n\"Microsoft.Mashup.Container.Loader.exe\", \"Microsoft.Mashup.Container.NetFX40.exe\", \"WerFault.exe\", \"CLVIEW.exe\"]); \nDeviceProcessEvents\n| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and \nFileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)\n| project-rename ProcessStart_Timestamp = Timestamp\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}