Match Legitimate Name or Location - 2

let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
  "smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
  "crmss.exe", dynamic(["smss.exe"]),
  "wininit.exe", dynamic(["smss.exe"]),
  "winlogon.exe", dynamic(["smss.exe"]),
  "services.exe", dynamic(["wininit.exe"]),
  "lsaiso.exe", dynamic(["wininit.exe"]),
  "lsass.exe", dynamic(["wininit.exe"]),
  "spoolsv.exe", dynamic(["services.exe"]),
  "dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
  "lsm.exe", dynamic(["wininit.exe"]),
  "svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
  "runtimebroker.exe", dynamic(["svchost.exe"]),
  "taskhostw.exe", dynamic(["svchost.exe"]),
  "userinit.exe", dynamic(["winlogon.exe"])
  // Explorer can have a lot of parents in some environments
  //,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))

name: Match Legitimate Name or Location - 2
relevantTechniques:
- T1036.005
id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
version: 1.0.1
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
queryFrequency: 1h
status: Available
query: |
  let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
    "smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
    "crmss.exe", dynamic(["smss.exe"]),
    "wininit.exe", dynamic(["smss.exe"]),
    "winlogon.exe", dynamic(["smss.exe"]),
    "services.exe", dynamic(["wininit.exe"]),
    "lsaiso.exe", dynamic(["wininit.exe"]),
    "lsass.exe", dynamic(["wininit.exe"]),
    "spoolsv.exe", dynamic(["services.exe"]),
    "dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
    "lsm.exe", dynamic(["wininit.exe"]),
    "svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
    "runtimebroker.exe", dynamic(["svchost.exe"]),
    "taskhostw.exe", dynamic(["svchost.exe"]),
    "userinit.exe", dynamic(["winlogon.exe"])
    // Explorer can have a lot of parents in some environments
    //,"explorer.exe", dynamic(["userinit.exe"])
  ];
  DeviceProcessEvents
  | extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
  | extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
  | lookup kind=inner ProcessRelations on ImageFile
  | where not(set_has_element(ExpectedParent,ParentFile))  
tactics:
- DefenseEvasion
kind: Scheduled
description: |
  Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.
  This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.  
triggerOperator: gt