Match Legitimate Name or Location - 2
| Id | dd22dc4f-ab7c-4d0a-84ad-cc393638ba31 |
| Rulename | Match Legitimate Name or Location - 2 |
| Description | Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes. This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1036.005 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml |
| Version | 1.0.0 |
| Arm template | dd22dc4f-ab7c-4d0a-84ad-cc393638ba31.json |
let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
"smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
"crmss.exe", dynamic(["smss.exe"]),
"wininit.exe", dynamic(["smss.exe"]),
"winlogon.exe", dynamic(["smss.exe"]),
"services.exe", dynamic(["wininit.exe"]),
"lsaiso.exe", dynamic(["wininit.exe"]),
"lsass.exe", dynamic(["wininit.exe"]),
"spoolsv.exe", dynamic(["services.exe"]),
"dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
"lsm.exe", dynamic(["wininit.exe"]),
"svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
"runtimebroker.exe", dynamic(["svchost.exe"]),
"taskhostw.exe", dynamic(["svchost.exe"]),
"userinit.exe", dynamic(["winlogon.exe"])
// Explorer can have a lot of parents in some environments
//,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))
relevantTechniques:
- T1036.005
name: Match Legitimate Name or Location - 2
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
entityType: Host
- fieldMappings:
- identifier: Sid
columnName: AccountSid
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
entityType: Account
- fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
entityType: Process
triggerThreshold: 0
id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31
tactics:
- DefenseEvasion
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.
This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
query: |
let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
"smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
"crmss.exe", dynamic(["smss.exe"]),
"wininit.exe", dynamic(["smss.exe"]),
"winlogon.exe", dynamic(["smss.exe"]),
"services.exe", dynamic(["wininit.exe"]),
"lsaiso.exe", dynamic(["wininit.exe"]),
"lsass.exe", dynamic(["wininit.exe"]),
"spoolsv.exe", dynamic(["services.exe"]),
"dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
"lsm.exe", dynamic(["wininit.exe"]),
"svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
"runtimebroker.exe", dynamic(["svchost.exe"]),
"taskhostw.exe", dynamic(["svchost.exe"]),
"userinit.exe", dynamic(["winlogon.exe"])
// Explorer can have a lot of parents in some environments
//,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]",
"properties": {
"alertRuleTemplateName": "dd22dc4f-ab7c-4d0a-84ad-cc393638ba31",
"customDetails": null,
"description": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.\n",
"displayName": "Match Legitimate Name or Location - 2",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountSid",
"identifier": "Sid"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml",
"query": "let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [\n \"smss.exe\", dynamic([\"smss.exe\", \"ntoskrnl.exe\", \"\"]),\n \"crmss.exe\", dynamic([\"smss.exe\"]),\n \"wininit.exe\", dynamic([\"smss.exe\"]),\n \"winlogon.exe\", dynamic([\"smss.exe\"]),\n \"services.exe\", dynamic([\"wininit.exe\"]),\n \"lsaiso.exe\", dynamic([\"wininit.exe\"]),\n \"lsass.exe\", dynamic([\"wininit.exe\"]),\n \"spoolsv.exe\", dynamic([\"services.exe\"]),\n \"dllhost.exe\", dynamic([\"svchost.exe\", \"services.exe\"]),\n \"lsm.exe\", dynamic([\"wininit.exe\"]),\n \"svchost.exe\", dynamic([\"services.exe\", \"msmpeng.exe\"]),\n \"runtimebroker.exe\", dynamic([\"svchost.exe\"]),\n \"taskhostw.exe\", dynamic([\"svchost.exe\"]),\n \"userinit.exe\", dynamic([\"winlogon.exe\"])\n // Explorer can have a lot of parents in some environments\n //,\"explorer.exe\", dynamic([\"userinit.exe\"])\n];\nDeviceProcessEvents\n| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))\n| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))\n| lookup kind=inner ProcessRelations on ImageFile\n| where not(set_has_element(ExpectedParent,ParentFile))\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1036.005"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1036"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}