Detection rules › Kusto Query Language
Trusted Developer Utilities Proxy Execution
This detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1127 Trusted Developer Utilities Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | 9001000 | Process activity (any) |
Stages and Predicates
Stage 1: source
DeviceProcessEvents
Stage 2: where
macro "(Timestamp > ago(Timeframe))"
Stage 3: where
and
not
or
and
or
InitiatingProcessFileName eq "WDExpress.exe"
InitiatingProcessFileName eq "devenv.exe"
InitiatingProcessFolderPath starts_with "C:\\\\Program Files (x86)\\\\Microsoft Visual Studio"
FolderPath starts_with "C:\\\\Program Files (x86)\\\\Microsoft Visual Studio"
or
and
FileName eq "ilsasm.exe"
ProcessCommandLine match ["out", "target", "t:", "reference", "r:"]
and
FileName match ["vbc.exe", "csc.exe", "jsc.exe"]
ProcessCommandLine match ["/exe", "/dll", "/pe64", "-exe", "-dll", "-pe64"]
FileName match ["msbuild.exe", "msxsl.exe"]
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | InitiatingProcessFileName | eq | WDExpress.exe |
| 2 | InitiatingProcessFileName | eq | devenv.exe |
| 3 | Image | starts_with | C:\\Program Files (x86)\\Microsoft Visual Studio |
| 4 | Image | starts_with | C:\\Program Files (x86)\\Microsoft Visual Studio |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
FileName | eq |
|
FileName | match |
|
ProcessCommandLine | match |
|