Detection rules › Kusto Query Language
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain. This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1072 Software Deployment Tools |
| Lateral Movement | T1072 Software Deployment Tools, T1570 Lateral Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 5 | Process terminated |
| Security-Auditing | 4688 | A new process has been created. |
| Security-Auditing | 4689 | A process has exited. |
Stages and Predicates
Stage 1: source
imProcess
Stage 2: where time_window=86400s
macro "(TimeGenerated > ago(1d))"
Stage 3: where
Process match ["Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}"]
Stage 4: where
not
Process eq "known_processes"
Stage 5: summarize
Stage 6: extend
Stage 7: extend
Stage 8: project-away
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | Process | eq | known_processes |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Process | match |
|