Detection rules › Kusto Query Language

AV detections related to Tarrask malware

Source: upstream

'This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/'

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053` Scheduled Task/Job
Persistence	`T1053` Scheduled Task/Job
Privilege Escalation	`T1053` Scheduled Task/Job

Event coverage

Provider	Event ID	Title
Defender-DeviceInfo	9008000	Device inventory snapshot

Stages and Predicates

Stage 1: `source`

DeviceInfo

AV detections related to Tarrask malware

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `extend`

Stage 3: `join`

Stage 4: `summarize`

Stage 5: `extend`

Stage 6: `extend`

Keyboard Shortcuts

AV detections related to Tarrask malware

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: extend

Stage 3: join

Stage 4: summarize

Stage 5: extend

Stage 6: extend

Stage 1: `source`

Stage 2: `extend`

Stage 3: `join`

Stage 4: `summarize`

Stage 5: `extend`

Stage 6: `extend`