Defender-DeviceEvents

16 events across 16 channels

Event ID	Title	Channel
9007000	Defender event (any)	DeviceEvents
9007001	PowerShell command executed	PowerShellCommand
9007002	AMSI script detected	AmsiScriptDetected
9007003	AMSI script content captured	AmsiScriptContent
9007004	CreateRemoteThread API call	CreateRemoteThreadApiCall
9007005	Process injection detected	ProcessInjectionDetected
9007006	Named pipe event	NamedPipeEvent
9007007	User account added to local group	UserAccountAddedToLocalGroup
9007008	User account removed from local group	UserAccountRemovedFromLocalGroup
9007009	ASR audit event	AsrAuditEvent
9007010	ASR — LSASS credential theft (audited)	AsrLsassCredentialTheftAudited
9007011	ASR — Office child process (audited)	AsrOfficeChildProcessAudited
9007012	Antivirus report	AntivirusReport
9007013	Scheduled task created	ScheduledTaskCreated
9007014	Scheduled task deleted	ScheduledTaskDeleted
9007015	Scheduled task updated	ScheduledTaskUpdated

Event ID 9007000 — Defender event (any)

Defender event (any) — DeviceEvents is a catch-all; bridges only apply per-ActionType.

Name	Description
`DeviceId`	—
`Timestamp`	—
`ActionType`	—
`AdditionalFields`	—
`InitiatingProcessFileName`	—
`InitiatingProcessCommandLine`	—

Windows host username encoded in base64 web request source medium: 'This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their RunningRAT tool.'
Office ASR rule triggered from browser spawned office process. source medium: The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. This detection looks for Office ASR violations triggered by an Office document opened from a browser. Note: be aware that you need to have the proper ASR rules enabled for this detection to work.
SUNSPOT malware hashes source medium: 'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - https://techcommunity.microsoft.com/blog/microsoftsentinelblog/monitoring-the-software-supply-chain-with-azure-sentinel/2176463/'

Show 1 more (4 total)

TEARDROP memory-only dropper source high: Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f

PowerShell command executed — PowerShell ScriptBlockLogging captures the same surface.

Name	Description
`DeviceId`	—
`Timestamp`	—
`AdditionalFields`	—
`InitiatingProcessFileName`	—
`InitiatingProcessCommandLine`	—

1 rule

AMSI script detected — Defender-only; no Windows-native equivalent.

Name	Description
`DeviceId`	—
`Timestamp`	—
`AdditionalFields`	—
`InitiatingProcessFileName`	—

AMSI script content captured — Defender-only; no Windows-native equivalent.

Deimos Component Execution source high: Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.