Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Match Legitimate Name or Location - 2

Back
Iddd22dc4f-ab7c-4d0a-84ad-cc393638ba31
RulenameMatch Legitimate Name or Location - 2
DescriptionAttackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.

This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1036.005
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
Version1.0.1
Arm templatedd22dc4f-ab7c-4d0a-84ad-cc393638ba31.json
Deploy To Azure
let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
  "smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
  "crmss.exe", dynamic(["smss.exe"]),
  "wininit.exe", dynamic(["smss.exe"]),
  "winlogon.exe", dynamic(["smss.exe"]),
  "services.exe", dynamic(["wininit.exe"]),
  "lsaiso.exe", dynamic(["wininit.exe"]),
  "lsass.exe", dynamic(["wininit.exe"]),
  "spoolsv.exe", dynamic(["services.exe"]),
  "dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
  "lsm.exe", dynamic(["wininit.exe"]),
  "svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
  "runtimebroker.exe", dynamic(["svchost.exe"]),
  "taskhostw.exe", dynamic(["svchost.exe"]),
  "userinit.exe", dynamic(["winlogon.exe"])
  // Explorer can have a lot of parents in some environments
  //,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))
tactics:
- DefenseEvasion
relevantTechniques:
- T1036.005
id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31
severity: Medium
status: Available
name: Match Legitimate Name or Location - 2
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
    "smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
    "crmss.exe", dynamic(["smss.exe"]),
    "wininit.exe", dynamic(["smss.exe"]),
    "winlogon.exe", dynamic(["smss.exe"]),
    "services.exe", dynamic(["wininit.exe"]),
    "lsaiso.exe", dynamic(["wininit.exe"]),
    "lsass.exe", dynamic(["wininit.exe"]),
    "spoolsv.exe", dynamic(["services.exe"]),
    "dllhost.exe", dynamic(["svchost.exe", "services.exe"]),
    "lsm.exe", dynamic(["wininit.exe"]),
    "svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
    "runtimebroker.exe", dynamic(["svchost.exe"]),
    "taskhostw.exe", dynamic(["svchost.exe"]),
    "userinit.exe", dynamic(["winlogon.exe"])
    // Explorer can have a lot of parents in some environments
    //,"explorer.exe", dynamic(["userinit.exe"])
  ];
  DeviceProcessEvents
  | extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
  | extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
  | lookup kind=inner ProcessRelations on ImageFile
  | where not(set_has_element(ExpectedParent,ParentFile))  
queryPeriod: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
triggerOperator: gt
triggerThreshold: 0
description: |
  Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.
  This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.  
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
queryFrequency: 1h
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]",
      "properties": {
        "alertRuleTemplateName": "dd22dc4f-ab7c-4d0a-84ad-cc393638ba31",
        "customDetails": null,
        "description": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.\n",
        "displayName": "Match Legitimate Name or Location - 2",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml",
        "query": "let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [\n  \"smss.exe\", dynamic([\"smss.exe\", \"ntoskrnl.exe\", \"\"]),\n  \"crmss.exe\", dynamic([\"smss.exe\"]),\n  \"wininit.exe\", dynamic([\"smss.exe\"]),\n  \"winlogon.exe\", dynamic([\"smss.exe\"]),\n  \"services.exe\", dynamic([\"wininit.exe\"]),\n  \"lsaiso.exe\", dynamic([\"wininit.exe\"]),\n  \"lsass.exe\", dynamic([\"wininit.exe\"]),\n  \"spoolsv.exe\", dynamic([\"services.exe\"]),\n  \"dllhost.exe\", dynamic([\"svchost.exe\", \"services.exe\"]),\n  \"lsm.exe\", dynamic([\"wininit.exe\"]),\n  \"svchost.exe\", dynamic([\"services.exe\", \"msmpeng.exe\"]),\n  \"runtimebroker.exe\", dynamic([\"svchost.exe\"]),\n  \"taskhostw.exe\", dynamic([\"svchost.exe\"]),\n  \"userinit.exe\", dynamic([\"winlogon.exe\"])\n  // Explorer can have a lot of parents in some environments\n  //,\"explorer.exe\", dynamic([\"userinit.exe\"])\n];\nDeviceProcessEvents\n| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))\n| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))\n| lookup kind=inner ProcessRelations on ImageFile\n| where not(set_has_element(ExpectedParent,ParentFile))\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1036.005"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1036"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}