Kusto Rule Coverage

84 events across 13 providers with Kusto detection rules, 406 rule mappings total.

Defender-DeviceEvents (6 events, 10 rules) #

DeviceEvents - any - Defender event (any) #
PowerShellCommand - PowerShellCommand - PowerShell command executed #
Suspicious Powershell Commandlet Executed(source) medium - This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.
AmsiScriptContent - AmsiScriptContent - AMSI script content captured #
Deimos Component Execution(source) high - Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
CreateRemoteThreadApiCall - CreateRemoteThreadApiCall - CreateRemoteThread API call #
Suspicious Process Injection from Office application(source) medium - This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running.
NamedPipeEvent - NamedPipeEvent - Named pipe event #
Native equivalents: Sysmon EID 17, Sysmon EID 18
UserAccountAddedToLocalGroup - UserAccountAddedToLocalGroup - User account added to local group #
Local Admin Group Changes(source) high - This query searches for changes to the local administrators group. Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.

Defender-DeviceFileEvents (3 events, 6 rules) #

DeviceFileEvents - any - File activity (any) #
Native equivalents: Security-Auditing EID 4663, Sysmon EID 11
FileCreated - FileCreated - File created #
Native equivalents: Security-Auditing EID 4663, Sysmon EID 11
FileRenamed - FileRenamed - File renamed #
ASR Bypassing Writing Executable Content(source) medium - The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).

Defender-DeviceImageLoadEvents (1 event, 2 rules) #

DeviceImageLoadEvents - any - Image load (any) #
Native equivalents: Sysmon EID 7

Defender-DeviceInfo (1 event, 7 rules) #

DeviceInfo - any - Device inventory snapshot #

Defender-DeviceLogonEvents (2 events, 3 rules) #

LogonSuccess - LogonSuccess - Logon succeeded #
  • Password Spraying (source) medium - This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint.↳ native equivalents: Defender-DeviceLogonEvents LogonFailed, Security-Auditing EID 4624, Security-Auditing EID 4625
  • Service Accounts Performing Remote PS (source) high - Service Accounts Performing Remote PowerShell. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases to the detection: Identify service accounts, Find remote PS cmdlets being ran by these accounts. To accomplish this, we utilize DeviceLogonEvents and DeviceEvents to find cmdlets ran that meet the criteria. One of the main advantages of this method is that only requires server telemetry, and not the attacking client. The first phase relies on the DeviceLogonEvents to determine whether an account is a service account or not, consider the following accounts with logons:. Random_user has DeviceLogonEvents with type 2, 3, 7, 10, 11 & 13. Random_service_account 'should' only have DeviceLogonEvents with type 3,4 or 5.↳ native equivalents: Security-Auditing EID 4624
LogonFailed - LogonFailed - Logon failed #
Password Spraying(source) medium - This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint.

Defender-DeviceNetworkEvents (2 events, 2 rules) #

DeviceNetworkEvents - any - Network activity (any) #
Zinc Actor IOCs files - October 2022(source) high - Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

Defender-DeviceProcessEvents (1 event, 32 rules) #

DeviceProcessEvents - any - Process activity (any) #
Native equivalents: Security-Auditing EID 4688, Sysmon EID 1

Defender-DeviceRegistryEvents (4 events, 6 rules) #

DeviceRegistryEvents - any - Registry activity (any) #
Potential Fodhelper UAC Bypass (ASIM Version)(source) medium - This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.
RegistryKeyDeleted - RegistryKeyDeleted - Registry key deleted #
Potential Fodhelper UAC Bypass (ASIM Version)(source) medium - This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.
RegistryValueSet - RegistryValueSet - Registry value set #
RegistryValueDeleted - RegistryValueDeleted - Registry value deleted #
Potential Fodhelper UAC Bypass (ASIM Version)(source) medium - This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.

Microsoft-Windows-Eventlog (1 event, 2 rules) #

Security - Event ID 1102 - The audit log was cleared. #
  • Security Event log cleared (source) medium - Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.
  • NRT Security Event log cleared (source) medium - Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.

Microsoft-Windows-PowerShell (1 event, 1 rule) #

Operational - Event ID 4104 - Creating Scriptblock text (MessageNumber of MessageTotal). #
Suspicious Powershell Commandlet Executed(source) medium - This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.

Microsoft-Windows-Security-Auditing (43 events, 217 rules) #

Security - Event ID 412 - AD FS authentication failure. #
AD FS Remote Auth Sync Connection(source) medium - This detection uses Security events from the "AD FS Auditing" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable AD FS auditing on the AD FS Server. References: https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logginghttps://twitter.com/OTR_Community/status/1387038995016732672
Security - Event ID 501 - AD FS proxy authentication request. #
AD FS Remote Auth Sync Connection(source) medium - This detection uses Security events from the "AD FS Auditing" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable AD FS auditing on the AD FS Server. References: https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logginghttps://twitter.com/OTR_Community/status/1387038995016732672
Security - Event ID 4624 - An account was successfully logged on. #
Security - Event ID 4625 - An account failed to log on. #
Security - Event ID 4634 - An account was logged off. #
Security - Event ID 4647 - User initiated logoff. #
EatonForeseer - Unauthorized Logins(source) high - Detects Unauthorized Logins into Eaton Foreseer
Security - Event ID 4648 - A logon was attempted using explicit credentials. #
EatonForeseer - Unauthorized Logins(source) high - Detects Unauthorized Logins into Eaton Foreseer
Security - Event ID 4656 - A handle to an object was requested. #
Security - Event ID 4657 - A registry value was modified. #
Security - Event ID 4660 - An object was deleted. #
Potential Fodhelper UAC Bypass (ASIM Version)(source) medium - This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.
Security - Event ID 4662 - An operation was performed on an object. #
Native equivalents: Security-Auditing EID 4624
Security - Event ID 4663 - An attempt was made to access an object. #
Security - Event ID 4670 - Permissions on an object were changed. #
Security Service Registry ACL Modification(source) high - Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service. The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. Reference on guidance for enabling registry auditing: - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670 - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner - https://github.com/OTRF/Set-AuditRule - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0
Security - Event ID 4675 - SIDs were filtered. #
EatonForeseer - Unauthorized Logins(source) high - Detects Unauthorized Logins into Eaton Foreseer
Security - Event ID 4688 - A new process has been created. 66 rules#
Show 66 rules
Security - Event ID 4689 - A process has exited. #
Native equivalents: Security-Auditing EID 4688, Sysmon EID 1, Sysmon EID 5
Security - Event ID 4697 - A service was installed in the system. #
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
Security - Event ID 4698 - A scheduled task was created. #
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
Security - Event ID 4699 - A scheduled task was deleted. #
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
Security - Event ID 4700 - A scheduled task was enabled. #
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
Security - Event ID 4701 - A scheduled task was disabled. #
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
Security - Event ID 4702 - A scheduled task was updated. #
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
Security - Event ID 4720 - A user account was created. #
Security - Event ID 4722 - A user account was enabled. #
User account enabled and disabled within 10 mins(source) medium - Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.
Security - Event ID 4725 - A user account was disabled. #
User account enabled and disabled within 10 mins(source) medium - Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.
Security - Event ID 4726 - A user account was deleted. #
User account created and deleted within 10 mins(source) medium - Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.
Security - Event ID 4728 - A member was added to a security-enabled global group. #
User account added to built in domain local or global group(source) low - Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.
Security - Event ID 4732 - A member was added to a security-enabled local group. #
Security - Event ID 4738 - A user account was changed. #
AD account with Don't Expire Password(source) low - Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to "Don't Expire Password - Enabled".
Security - Event ID 4756 - A member was added to a security-enabled universal group. #
User account added to built in domain local or global group(source) low - Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.
Security - Event ID 4768 - A Kerberos authentication ticket (TGT) was requested. #
Certified Pre-Owned - TGTs requested with certificate authentication(source) medium - This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
Security - Event ID 5058 - Key file operation. #
Certified Pre-Owned - backup of CA private key - rule 1(source) medium - This query identifies someone that performs a read operation of they CA key from the file.
Security - Event ID 5059 - Key migration operation. #
Certified Pre-Owned - backup of CA private key - rule 2(source) medium - This query identifies someone that performs a backup of they CA key.
Security - Event ID 5136 - A directory service object was modified. #
Security - Event ID 5143 - A network share object was modified. #
Excessive share permissions(source) medium - The query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. domaincontroller netlogon, printserver print$ etc.). The share permissions are then checked against 'allow' rule (A) for a number of well known overly permissive groups, like all users, guests, authenticated users etc. If these are found, an alert is raised so the share creation may be audited. Note: this rule only checks for changed permissions, to prevent repeat alerts if for example a comment is changed, but the permissions are not altered.
Security - Event ID 5145 - A network share object was checked to see whether client can be granted desired access. #
Security - Event ID 5152 - The Windows Filtering Platform blocked a packet. #
Native equivalents: Security-Auditing EID 5154, Security-Auditing EID 5155, Security-Auditing EID 5156, Security-Auditing EID 5157, Security-Auditing EID 5158, Security-Auditing EID 5159, Sysmon EID 3
Security - Event ID 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. #
Native equivalents: Security-Auditing EID 5152, Security-Auditing EID 5155, Security-Auditing EID 5156, Security-Auditing EID 5157, Security-Auditing EID 5158, Security-Auditing EID 5159, Sysmon EID 3
Security - Event ID 5155 - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. #
Native equivalents: Security-Auditing EID 5152, Security-Auditing EID 5154, Security-Auditing EID 5156, Security-Auditing EID 5157, Security-Auditing EID 5158, Security-Auditing EID 5159, Sysmon EID 3
Security - Event ID 5156 - The Windows Filtering Platform has permitted a connection. #
Security - Event ID 5157 - The Windows Filtering Platform has blocked a connection. #
Native equivalents: Security-Auditing EID 5152, Security-Auditing EID 5154, Security-Auditing EID 5155, Security-Auditing EID 5156, Security-Auditing EID 5158, Security-Auditing EID 5159, Sysmon EID 3
Security - Event ID 5158 - The Windows Filtering Platform has permitted a bind to a local port. #
Native equivalents: Security-Auditing EID 5152, Security-Auditing EID 5154, Security-Auditing EID 5155, Security-Auditing EID 5156, Security-Auditing EID 5157, Security-Auditing EID 5159, Sysmon EID 3
Security - Event ID 5159 - The Windows Filtering Platform has blocked a bind to a local port. #
Native equivalents: Security-Auditing EID 5152, Security-Auditing EID 5154, Security-Auditing EID 5155, Security-Auditing EID 5156, Security-Auditing EID 5157, Security-Auditing EID 5158, Sysmon EID 3

Microsoft-Windows-Sysmon (18 events, 117 rules) #

Operational - Event ID 1 - Process creation #
Operational - Event ID 3 - Network connection #
Operational - Event ID 5 - Process terminated #
Native equivalents: Security-Auditing EID 4688, Security-Auditing EID 4689, Sysmon EID 1
Operational - Event ID 7 - Image loaded #
Operational - Event ID 8 - CreateRemoteThread #
Suspicious Process Injection from Office application(source) medium - This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running.
Operational - Event ID 10 - ProcessAccess #
Dumping LSASS Process Into a File(source) high - Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/
Operational - Event ID 11 - FileCreate #
Operational - Event ID 12 - RegistryEvent (Object create and delete) #
Potential Fodhelper UAC Bypass (ASIM Version)(source) medium - This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.
Operational - Event ID 13 - RegistryEvent (Value Set) #
Operational - Event ID 14 - RegistryEvent (Key and Value Rename) #
Potential Fodhelper UAC Bypass (ASIM Version)(source) medium - This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.
Operational - Event ID 17 - PipeEvent (Pipe Created) #
Operational - Event ID 18 - PipeEvent (Pipe Connected) #
Operational - Event ID 19 - WmiEvent (WmiEventFilter activity detected) #
Gain Code Execution on ADFS Server via Remote WMI Execution(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]" For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/. The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details. - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
Operational - Event ID 20 - WmiEvent (WmiEventConsumer activity detected) #
Gain Code Execution on ADFS Server via Remote WMI Execution(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]" For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/. The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details. - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
Operational - Event ID 21 - WmiEvent (WmiEventConsumerToFilter activity detected) #
Gain Code Execution on ADFS Server via Remote WMI Execution(source) medium - This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]" For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/. The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details. - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
Operational - Event ID 22 - DNSEvent (DNS query) #
Operational - Event ID 23 - FileDelete (File Delete archived) #
Native equivalents: Security-Auditing EID 4663, Sysmon EID 11, Sysmon EID 26
Operational - Event ID 26 - FileDeleteDetected (File Delete logged) #
Native equivalents: Security-Auditing EID 4663, Sysmon EID 11, Sysmon EID 23

Service-Control-Manager (1 event, 1 rule) #

System - Event ID 7045 - A service was installed in the system. #
Credential Dumping Tools - Service Installation(source) high - This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.