Detection rules › Kusto Query Language
Match Legitimate Name or Location - 2
Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes. This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1036.005 Masquerading: Match Legitimate Resource Name or Location |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | 9001000 | Process activity (any) |
Stages and Predicates
Stage 1: source
DeviceProcessEvents
Stage 2: extend
Stage 3: extend
Stage 4: join
Stage 5: where
not
macro "set_has_element(ExpectedParent, ParentFile)"