Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious parentprocess relationship - Office child processes

Back
Id5ee34fa1-64ed-48c7-afa2-794b244f6c60
RulenameSuspicious parentprocess relationship - Office child processes.
DescriptionThe attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually

presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access.

This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.
SeverityMedium
TacticsInitialAccess
TechniquesT1566.002
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml
Version1.0.0
Arm template5ee34fa1-64ed-48c7-afa2-794b244f6c60.json
Deploy To Azure
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access. 
// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization. 
let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe", 
"Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]); 
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and 
FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
| project-rename ProcessStart_Timestamp = Timestamp
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml
version: 1.0.0
status: Available
queryPeriod: 1h
severity: Medium
relevantTechniques:
- T1566.002
tactics:
- InitialAccess
kind: Scheduled
queryFrequency: 1h
description: |
  The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually 
  presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. 
  This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.  
query: |
  let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]); // Customize this list for your environment.
  let officeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]); // Consider adding other Office applications such as Publisher, Visio and Access. 
  // This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.
  // Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization. 
  let allowList = dynamic(["MSOSYNC.exe", "splwow64.exe", "csc.exe", "outlook.exe", "AcroRd32.exe", "Acrobat.exe", "explorer.exe", "DW20.exe", 
  "Microsoft.Mashup.Container.Loader.exe", "Microsoft.Mashup.Container.NetFX40.exe", "WerFault.exe", "CLVIEW.exe"]); 
  DeviceProcessEvents
  | where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and 
  FileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)
  | project-rename ProcessStart_Timestamp = Timestamp  
id: 5ee34fa1-64ed-48c7-afa2-794b244f6c60
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
name: Suspicious parentprocess relationship - Office child processes.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5ee34fa1-64ed-48c7-afa2-794b244f6c60')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5ee34fa1-64ed-48c7-afa2-794b244f6c60')]",
      "properties": {
        "alertRuleTemplateName": "5ee34fa1-64ed-48c7-afa2-794b244f6c60",
        "customDetails": null,
        "description": "The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually \npresents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. \nThis detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.\n",
        "displayName": "Suspicious parentprocess relationship - Office child processes.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/SuspiciousParentProcessRelationship.yaml",
        "query": "let browsers = dynamic([\"iexplore.exe\", \"chrome.exe\", \"firefox.exe\", \"msedge.exe\"]); // Customize this list for your environment.\nlet officeApps = dynamic([\"winword.exe\", \"excel.exe\", \"powerpnt.exe\"]); // Consider adding other Office applications such as Publisher, Visio and Access. \n// This is an allow-list of the most common child processes. This is a quick and dirty solution. Consider allow-listing the full process path instead of file name.\n// Also, make this list as short as possible. Remove anything from this list if it doesn't occur in your organization. \nlet allowList = dynamic([\"MSOSYNC.exe\", \"splwow64.exe\", \"csc.exe\", \"outlook.exe\", \"AcroRd32.exe\", \"Acrobat.exe\", \"explorer.exe\", \"DW20.exe\", \n\"Microsoft.Mashup.Container.Loader.exe\", \"Microsoft.Mashup.Container.NetFX40.exe\", \"WerFault.exe\", \"CLVIEW.exe\"]); \nDeviceProcessEvents\n| where InitiatingProcessParentFileName in~ (browsers) and InitiatingProcessFileName in~ (officeApps) and \nFileName !in~ (officeApps) and FileName !in~ (browsers) and FileName !in~ (allowList)\n| project-rename ProcessStart_Timestamp = Timestamp\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}