Match Legitimate Name or Location - 2

let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
  "smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
  "crmss.exe", dynamic(["smss.exe"]),
  "wininit.exe", dynamic(["smss.exe"]),
  "winlogon.exe", dynamic(["smss.exe"]),
  "services.exe", dynamic(["wininit.exe"]),
  "lsaiso.exe", dynamic(["wininit.exe"]),
  "lsass.exe", dynamic(["wininit.exe"]),
  "spoolsv.exe", dynamic(["services.exe"]),
  "dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
  "lsm.exe", dynamic(["wininit.exe"]),
  "svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
  "runtimebroker.exe", dynamic(["svchost.exe"]),
  "taskhostw.exe", dynamic(["svchost.exe"]),
  "userinit.exe", dynamic(["winlogon.exe"])
  // Explorer can have a lot of parents in some environments
  //,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))

description: |
  Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.
  This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.  
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
severity: Medium
name: Match Legitimate Name or Location - 2
triggerThreshold: 0
queryPeriod: 1h
query: |
  let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
    "smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
    "crmss.exe", dynamic(["smss.exe"]),
    "wininit.exe", dynamic(["smss.exe"]),
    "winlogon.exe", dynamic(["smss.exe"]),
    "services.exe", dynamic(["wininit.exe"]),
    "lsaiso.exe", dynamic(["wininit.exe"]),
    "lsass.exe", dynamic(["wininit.exe"]),
    "spoolsv.exe", dynamic(["services.exe"]),
    "dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
    "lsm.exe", dynamic(["wininit.exe"]),
    "svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
    "runtimebroker.exe", dynamic(["svchost.exe"]),
    "taskhostw.exe", dynamic(["svchost.exe"]),
    "userinit.exe", dynamic(["winlogon.exe"])
    // Explorer can have a lot of parents in some environments
    //,"explorer.exe", dynamic(["userinit.exe"])
  ];
  DeviceProcessEvents
  | extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
  | extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
  | lookup kind=inner ProcessRelations on ImageFile
  | where not(set_has_element(ExpectedParent,ParentFile))  
relevantTechniques:
- T1036.005
id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine