31 строка
1.5 KiB
YAML
31 строка
1.5 KiB
YAML
id: 3712595d-6f47-416b-963a-605201ed2764
|
|
name: Least Common Parent And Child Process Pairs
|
|
description: |
|
|
'Looks across your environment for least common Parent/Child process combinations.
|
|
Will possibly find some malicious activity disguised as well known process names.
|
|
By ZanCo'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
query: |
|
|
|
|
let Allowlist = dynamic (['foo.exe', 'baz.exe']);
|
|
let Sensitivity = 5;
|
|
let StartDate = ago(7d);
|
|
let Duration = 7d;
|
|
SecurityEvent
|
|
| where EventID == 4688 and TimeGenerated > StartDate and TimeGenerated < (StartDate + Duration) and isnotnull(ParentProcessName)
|
|
| extend ProcArray = split(NewProcessName, '\\'), ParentProcArray = split(ParentProcessName, '\\')
|
|
// ProcArrayLength is Folder Depth
|
|
| extend ProcArrayLength = arraylength(ProcArray), ParentProcArrayLength = arraylength(ParentProcArray)
|
|
| extend LastIndex = ProcArrayLength - 1, ParentLastIndex = ParentProcArrayLength - 1
|
|
| extend Proc = ProcArray[LastIndex], ParentProc = ParentProcArray[ParentLastIndex]
|
|
| where Proc !in (Allowlist)
|
|
| extend ParentChildPair = strcat(ParentProc , ' > ', Proc)
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TimesSeen = count(), HostCount = dcount(Computer), Hosts = makeset(Computer), UserCount = dcount(SubjectUserName), Users = makeset(SubjectUserName) by ParentChildPair
|
|
| where TimesSeen < Sensitivity
|
|
| extend timestamp = StartTimeUtc
|
|
|