Defender-DeviceProcessEvents
2 ActionTypes
| ActionType | Title |
|---|---|
| any | Process activity (any) |
| ProcessCreated | Process created |
any: Process activity (any)
#Description
Process activity (any)
Fields #
| Name | Description | Rules |
|---|---|---|
DeviceId | ||
DeviceName | ||
Timestamp | ||
ActionType | ||
FileName | 19 | |
FolderPath | ||
SHA1 | ||
SHA256 | 1 | |
MD5 | ||
ProcessId | ||
ProcessCommandLine | ||
AccountName | ||
AccountDomain | ||
InitiatingProcessFileName | 10 | |
InitiatingProcessFolderPath | ||
InitiatingProcessSHA256 | ||
InitiatingProcessCommandLine | ||
InitiatingProcessAccountName | ||
InitiatingProcessAccountDomain | ||
InitiatingProcessParentFileName | 2 |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
IntegrityLevel | eq | High | 3 rules | kusto, sigma, splunk |
parent_process_name | in | excel.exe | 3 rules | kusto, splunk |
parent_process_name | in | winword.exe | 3 rules | kusto, splunk |
CommandLine | contains | certutil | 2 rules | kusto, sigma |
parent_process_name | in | powerpnt.exe | 2 rules | kusto, splunk |
CommandLine | contains | lsass | 2 rules | chronicle, kusto, sigma |
file_name | in | cmd.exe | 2 rules | kusto |
CommandLine | contains | -ma | 2 rules | kusto, sigma |
CommandLine | contains | -accepteula | 2 rules | kusto |
file_name | contains | msbuild.exe | 2 rules | kusto |
file_name | eq | ping.exe | 2 rules | kusto |
parent_process_name | contains | cmd.exe | 2 rules | kusto |
parent_process_name | contains | powershell.exe | 2 rules | kusto |
CommandLine | contains | http:// | 1 rule | elastic, kusto, sigma, splunk |
CommandLine | contains | https:// | 1 rule | elastic, kusto, sigma, splunk |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Dev-0228 File Path Hashes November 2021 source high: This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.
- Exchange Worker Process Making Remote Call source medium: This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.
Show 17 more (39 total)
- Probable AdFind Recon Tool Usage source high: This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.
- Ingress Tool Transfer - Certutil source low: This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.
- Access Token Manipulation - Create Process with Token source medium: This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. Additionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID.
- Disable or Modify Windows Defender source medium: This detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying purposes. Note that this detection is imperfect and is only meant to serve as basis for building a more resilient detection rule. Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule. See blogpost (https://medium.com/falconforce/falconfriday-av-manipulation-0xff0e-67ed4387f9ab?source=friends_link&sk=3c7c499797bbb4d74879e102ef3ecf8f) for more resilience considerations. The current approach can easily be bypassed by not using the powershell.exe executable. Consider adding more ways to detect this behavior.
- Match Legitimate Name or Location - 2 source medium: Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes. This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
- Oracle suspicious command execution source medium: The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
- Remote Desktop Protocol - SharpRDP source medium: This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
- Rename System Utilities source medium: Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames. This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename. This query is really heavy on resources. Use it with care.
- Suspicious parentprocess relationship - Office child processes. source medium: The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.
- Trusted Developer Utilities Proxy Execution source medium: This detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
- Detecting UAC bypass - elevated COM interface source medium: This query identifies processes spawned with high integrity from dllhost.exe with a command line that contains one of three specific CLSID GUIDs.
- Detecting UAC bypass - modify Windows Store settings source medium: This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
- Detecting UAC bypass - ChangePK and SLUI registry tampering source medium: This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
- Java Executing cmd to run Powershell source high: This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
- DopplePaymer Procdump source high: This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects ProcDump being used to dump credentials from LSASS. The See also section below lists links to other queries associated with DoppelPaymer. References: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB https://docs.microsoft.com/sysinternals/downloads/procdump https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- LSASS Credential Dumping with Procdump source high: This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 2. CVE-2021-26857 3. CVE-2021-26858 4. CVE-2021-27065 The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts. More queries related to this threat can be found under the See also section of this page. Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
- Doppelpaymer Stop Services source high: This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects attempts to stop security services. The See also section below lists links to other queries associated with DoppelPaymer. References: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceprocessevents/
ProcessCreated: Process created
#Description
Process created
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
FileName | |
FolderPath | |
SHA256 | |
ProcessCommandLine | |
AccountName | |
InitiatingProcessFileName | |
InitiatingProcessCommandLine |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | ProcessCreated | 8 rules | kusto |
GlobalPrevalence | lt | 200 | 2 rules | kusto |
GlobalPrevalence | lt | 100 | 1 rule | kusto |
GlobalPrevalence | is_null | | 1 rule | kusto |
OriginalFileName | eq | browsercore.exe | 1 rule | kusto, sigma |
ParentCommandLine | contains | schedule | 1 rule | kusto, splunk |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Unsigned Windows System Binary source: This query searches for invocations of a number of commonly used and signed Windows binaries. It then finds invocations of these binaries where they are not properly signed.
- Masquerading Renamed executables of interest source: This query searches for the original file name of a set of binaries that is known to be used by attackers. The OriginalFileName field is then matched to the actual file name. Where there isn't a match the results are returned, indicating the file has been renamed. The original file name field is derived from the PE header of the executable, which is the name of the binary during compilation.
- Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.
Show 5 more (8 total)
- Persistence Via Scheduled Tasks source: This query identifies binaries that run as a scheduled task, by looking at the parent process command line. Of the identified binaries running as scheduled tasks it finds suspicious binaries by looking at the file signature and global prevalence.
- PRT Credential Stealing source: This query detects when
BrowserCore.exeis accessed by a suspicious process. TheBrowserCore.exebinary is responsible for allowing browser add-ons to use Single Sign On via Azure AD. This rule detects when an uncommon process interacts with theBrowserCore.exeprocess. - SQL Server spawning suspicious child process source: This query looks for potential abuse of the SQL Server stored procedure
xp_cmdshellwhich allows command execution on the OS. Runningxp_cmdshellon the system triggers the follow process chain:sqlservr.exe=>xp_cmdshell 'whoami'=>"cmd.exe /c" whoami=>whoami.exe. This rule tries to identify running of suspicious commands as a grandchild ofsqlservr.exe. The rule is based on a block-list of executables of LOLBINs and other known recon commands or any executable executed with a low prevalence. - Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).
- Potential Kerberos Relaying Activity - MDE source: The below query detects potential Kerberos relaying event chain generated by KrbRelay.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceprocessevents/