Detection rules › Kusto Query Language
New EXE deployed via Default Domain or Default Domain Controller Policies
'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1072 Software Deployment Tools |
| Lateral Movement | T1072 Software Deployment Tools, T1570 Lateral Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: source
SecurityEvent
Stage 2: where time_window=86400s
macro "(TimeGenerated > ago(1d))"
Stage 3: where
EventID eq "4688"
Stage 4: where
NewProcessName match ["Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}"]
Stage 5: where
not
Process eq "known_processes"
Stage 6: summarize
Stage 7: extend
Stage 8: extend
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | Process | eq | known_processes |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
NewProcessName | match |
|