Defender-DeviceEvents
27 ActionTypes
any: Defender event (any)
#Description
Defender event (any) — DeviceEvents is a catch-all; bridges only apply per-ActionType.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ActionType | |
AdditionalFields | |
InitiatingProcessFileName | |
InitiatingProcessCommandLine |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
user | is_not_null | | 1 rule | kusto, splunk |
DestinationPort | eq | 9389 | 1 rule | elastic, kusto, sigma, splunk |
parent_process_name | eq | mmc.exe | 1 rule | elastic, kusto, splunk |
EventType | eq | ConnectionSuccess | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Windows host username encoded in base64 web request source medium: This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their RunningRAT tool.
- Office ASR rule triggered from browser spawned office process. source medium: The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. This detection looks for Office ASR violations triggered by an Office document opened from a browser. Note: be aware that you need to have the proper ASR rules enabled for this detection to work.
- SUNSPOT malware hashes source medium: This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - https://techcommunity.microsoft.com/blog/microsoftsentinelblog/monitoring-the-software-supply-chain-with-azure-sentinel/2176463/
Show 3 more (6 total)
- TEARDROP memory-only dropper source high: Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesCreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matchesCreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
PowerShellCommand: PowerShell command executed
#Description
PowerShell command executed — PowerShell ScriptBlockLogging captures the same surface.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AdditionalFields | |
InitiatingProcessFileName | |
InitiatingProcessCommandLine |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | PowerShellCommand | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Suspicious Powershell Commandlet Executed source medium: This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
AmsiScriptDetected: AMSI script detected
#Description
AMSI script detected — Defender-only; no Windows-native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AdditionalFields | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
AmsiScriptContent: AMSI script content captured
#Description
AMSI script content captured — Defender-only; no Windows-native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AdditionalFields |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | eq | powershell.exe | 1 rule | elastic, kusto, splunk |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Deimos Component Execution source high: Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
CreateRemoteThreadApiCall: CreateRemoteThread API call
#Description
CreateRemoteThread API call
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | CreateRemoteThreadApiCall | 3 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 3 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 3 rules | kusto |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
parent_process_name | in | excel.exe | 1 rule | kusto, splunk |
parent_process_name | in | winword.exe | 1 rule | kusto, splunk |
parent_process_name | in | powerpnt.exe | 1 rule | kusto, splunk |
DestinationPort | eq | 9389 | 1 rule | elastic, kusto, sigma, splunk |
parent_process_name | eq | mmc.exe | 1 rule | elastic, kusto, splunk |
EventType | eq | ConnectionSuccess | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Suspicious Process Injection from Office application source medium: This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running.
- Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matchesNtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesany: Defender event (any), NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
Show 1 more (4 total)
- Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matchesany: Defender event (any), NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
ProcessInjectionDetected: Process injection detected
#Description
Process injection detected — Defender-only; no Windows-native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
NamedPipeEvent: Named pipe event
#Description
Named pipe event
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | NamedPipeEvent | 2 rules | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Suspicious named pipes source medium: This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
- C2-NamedPipe source high: Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
UserAccountAddedToLocalGroup: User account added to local group
#Description
User account added to local group
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AccountName | |
AdditionalFields |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Local Admin Group Changes source high: This query searches for changes to the local administrators group. Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
UserAccountRemovedFromLocalGroup: User account removed from local group
#Description
User account removed from local group
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AccountName | |
AdditionalFields |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
AsrAuditEvent: ASR audit event
#Description
ASR audit event — Defender ASR audit; loosely maps to Defender-1121 channel events.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AdditionalFields | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
AsrLsassCredentialTheftAudited: ASR — LSASS credential theft (audited)
#Description
ASR — LSASS credential theft (audited) — Defender ASR; no native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
AsrOfficeChildProcessAudited: ASR — Office child process (audited)
#Description
ASR — Office child process (audited) — Defender ASR; no native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
InitiatingProcessFileName | |
FileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
AntivirusReport: Antivirus report
#Description
Antivirus report — Defender AV; loosely maps to Defender-1116/1117 detected/quarantined events.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
AdditionalFields |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
ScheduledTaskCreated: Scheduled task created
#Description
Scheduled task created
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AdditionalFields | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
ScheduledTaskDeleted: Scheduled task deleted
#Description
Scheduled task deleted
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AdditionalFields | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
ScheduledTaskUpdated: Scheduled task updated
#Description
Scheduled task updated
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
AdditionalFields | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
OpenProcessApiCall: Process opened (OpenProcess API call)
#Description
Process opened (OpenProcess API call) — Sysmon-10 is ProcessAccess; Kernel-Audit-API-Calls-5 (TargetProcessId / DesiredAccess / ReturnCode) is the same kernel audit hook MDE consumes and any admin ETW session can collect.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
ProcessId | |
InitiatingProcessFileName | |
InitiatingProcessCommandLine |
Detection Patterns #
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
ProcessPrimaryTokenModified: Process primary token modified
#Description
Process primary token modified — Security-4696 (primary token assigned) is a bridge candidate, but assigned-at-creation vs replaced-in-place semantics are unverified, so no bridge yet.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
AccountName | |
InitiatingProcessFileName |
Detection Patterns #
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
LdapSearch: LDAP search
#Description
LDAP search — Client-side LDAP query telemetry (search filter in AdditionalFields). ETW equivalent is Microsoft-Windows-LDAP-Client's search-call events; bridge deferred until the exact event-id is verified against a captured trace (the manifest carries no event names).
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
InitiatingProcessFileName | |
InitiatingProcessCommandLine | |
AdditionalFields |
Detection Patterns #
Discovery: Domain Account
1 rule
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
ClrUnbackedModuleLoaded: CLR unbacked module loaded
#Description
CLR unbacked module loaded — Derivable-from, not one-to-one: DotNETRuntime-152 (ModuleLoad) fires for every CLR module; 'unbacked' (no disk-backed image) is a filter over the module-flags payload. CLR ETW is emitted inside the (potentially attacker-controlled) process and can be patched out; the MDE sensor copy is the tamper-resistant variant.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
InitiatingProcessFileName | |
AdditionalFields |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | in | cscript.exe | 1 rule | kusto, splunk |
parent_process_name | in | mmc.exe | 1 rule | kusto, splunk |
parent_process_name | in | wscript.exe | 1 rule | kusto, splunk |
parent_process_name | in | mshta.exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Script Interpreter Loading DotNet Assembly From Memory source: The query searches for script interpreters (mmc.exe, mshta.exe, wscript.exe, and cscript.exe) loading .NET assemblies from memory. In the case of the MMC executable, the query also checks for the MSC file that was loaded, as some legitimate MSC files are known to load .NET assemblies via MMC.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
AsrUntrustedExecutableAudited: ASR untrusted executable (audited)
#Description
ASR untrusted executable (audited) — Block-mode ASR siblings map to Defender-1121.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
InitiatingProcessFileName |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- ASR Rare and Untrusted Executables source: Below query shows Untrusted executables that are seen on few devices (LocalPrevalence). It requires the below ASR rule to be configured and Cloud-delivered protection to be enabled.
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
You may need to exclude software development users/machines/folders.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
DriverLoad: Driver loaded
#Description
Driver loaded — ETW-TI requires a PPL/ELAM-signed consumer; Sysmon-6 is the collectible equivalent for non-MDE environments.
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
SHA1 | |
SHA256 |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | DriverLoad | 2 rules | kusto |
dcount_DeviceId | le | 5 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Microsoft Recommended Driver Block List source: The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.
- Suspicious Driver Load source: Below query detects suspicious(unusual/rare) driver loads. Further checks are required on detected files to confirm malicious activity.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory)
#Description
Remote virtual memory allocation (NtAllocateVirtualMemory)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | CreateRemoteThreadApiCall | 2 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 2 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 2 rules | kusto |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
DestinationPort | eq | 9389 | 1 rule | elastic, kusto, sigma, splunk |
parent_process_name | eq | mmc.exe | 1 rule | elastic, kusto, splunk |
EventType | eq | ConnectionSuccess | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matchesCreateRemoteThreadApiCall: CreateRemoteThread API call, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
MemoryRemoteProtect: Remote virtual memory protection change
#Description
Remote virtual memory protection change
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
DestinationPort | eq | 9389 | 1 rule | elastic, kusto, sigma, splunk |
parent_process_name | eq | mmc.exe | 1 rule | elastic, kusto, splunk |
EventType | eq | ConnectionSuccess | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection)
#Description
Remote section map (NtMapViewOfSection)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | CreateRemoteThreadApiCall | 2 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 2 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 2 rules | kusto |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
parent_process_name | eq | mmc.exe | 1 rule | elastic, kusto, splunk |
EventType | eq | ConnectionSuccess | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matchesCreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc)
#Description
Remote APC queued (QueueUserApc)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | CreateRemoteThreadApiCall | 2 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 2 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 2 rules | kusto |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matchesCreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
- Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/
SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
#Description
Remote thread context change (SetThreadContext)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ProcessId | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | CreateRemoteThreadApiCall | 2 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 2 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 2 rules | kusto |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matchesCreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc)
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc)
- Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matchesany: Defender event (any), CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc)
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/