Match Legitimate Name or Location - 2
| Id | dd22dc4f-ab7c-4d0a-84ad-cc393638ba31 |
| Rulename | Match Legitimate Name or Location - 2 |
| Description | Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes. This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1036.005 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml |
| Version | 1.0.1 |
| Arm template | dd22dc4f-ab7c-4d0a-84ad-cc393638ba31.json |
let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
"smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
"crmss.exe", dynamic(["smss.exe"]),
"wininit.exe", dynamic(["smss.exe"]),
"winlogon.exe", dynamic(["smss.exe"]),
"services.exe", dynamic(["wininit.exe"]),
"lsaiso.exe", dynamic(["wininit.exe"]),
"lsass.exe", dynamic(["wininit.exe"]),
"spoolsv.exe", dynamic(["services.exe"]),
"dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
"lsm.exe", dynamic(["wininit.exe"]),
"svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
"runtimebroker.exe", dynamic(["svchost.exe"]),
"taskhostw.exe", dynamic(["svchost.exe"]),
"userinit.exe", dynamic(["winlogon.exe"])
// Explorer can have a lot of parents in some environments
//,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))
queryPeriod: 1h
name: Match Legitimate Name or Location - 2
description: |
Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.
This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
status: Available
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
kind: Scheduled
id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31
version: 1.0.1
triggerOperator: gt
triggerThreshold: 0
query: |
let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
"smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
"crmss.exe", dynamic(["smss.exe"]),
"wininit.exe", dynamic(["smss.exe"]),
"winlogon.exe", dynamic(["smss.exe"]),
"services.exe", dynamic(["wininit.exe"]),
"lsaiso.exe", dynamic(["wininit.exe"]),
"lsass.exe", dynamic(["wininit.exe"]),
"spoolsv.exe", dynamic(["services.exe"]),
"dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
"lsm.exe", dynamic(["wininit.exe"]),
"svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
"runtimebroker.exe", dynamic(["svchost.exe"]),
"taskhostw.exe", dynamic(["svchost.exe"]),
"userinit.exe", dynamic(["winlogon.exe"])
// Explorer can have a lot of parents in some environments
//,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
entityType: Host
- fieldMappings:
- identifier: Sid
columnName: AccountSid
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
entityType: Account
- fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
entityType: Process
tactics:
- DefenseEvasion
relevantTechniques:
- T1036.005
queryFrequency: 1h
severity: Medium
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]",
"properties": {
"alertRuleTemplateName": "dd22dc4f-ab7c-4d0a-84ad-cc393638ba31",
"customDetails": null,
"description": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.\n",
"displayName": "Match Legitimate Name or Location - 2",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountSid",
"identifier": "Sid"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml",
"query": "let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [\n \"smss.exe\", dynamic([\"smss.exe\", \"ntoskrnl.exe\", \"\"]),\n \"crmss.exe\", dynamic([\"smss.exe\"]),\n \"wininit.exe\", dynamic([\"smss.exe\"]),\n \"winlogon.exe\", dynamic([\"smss.exe\"]),\n \"services.exe\", dynamic([\"wininit.exe\"]),\n \"lsaiso.exe\", dynamic([\"wininit.exe\"]),\n \"lsass.exe\", dynamic([\"wininit.exe\"]),\n \"spoolsv.exe\", dynamic([\"services.exe\"]),\n \"dllhost.exe\", dynamic([\"svchost.exe\", \"services.exe\"]),\n \"lsm.exe\", dynamic([\"wininit.exe\"]),\n \"svchost.exe\", dynamic([\"services.exe\", \"msmpeng.exe\"]),\n \"runtimebroker.exe\", dynamic([\"svchost.exe\"]),\n \"taskhostw.exe\", dynamic([\"svchost.exe\"]),\n \"userinit.exe\", dynamic([\"winlogon.exe\"])\n // Explorer can have a lot of parents in some environments\n //,\"explorer.exe\", dynamic([\"userinit.exe\"])\n];\nDeviceProcessEvents\n| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))\n| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))\n| lookup kind=inner ProcessRelations on ImageFile\n| where not(set_has_element(ExpectedParent,ParentFile))\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1036.005"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1036"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}