Defender-DeviceProcessEvents

2 ActionTypes

ActionType	Title
any	Process activity (any)
ProcessCreated	Process created

any: Process activity (any)

Table: DeviceProcessEvents

Description

Process activity (any)

Fields #

Name	Description	Rules
`DeviceId`
`DeviceName`
`Timestamp`
`ActionType`
`FileName`		19 detection rules
`FolderPath`
`SHA1`
`SHA256`		1 detection rule
`MD5`
`ProcessId`
`ProcessCommandLine`
`AccountName`
`AccountDomain`
`InitiatingProcessFileName`		10 detection rules
`InitiatingProcessFolderPath`
`InitiatingProcessSHA256`
`InitiatingProcessCommandLine`
`InitiatingProcessAccountName`
`InitiatingProcessAccountDomain`
`InitiatingProcessParentFileName`		2 detection rules

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`IntegrityLevel`	eq	`High`	3 rules	kusto, sigma, splunk
`parent_process_name`	contains	`cmd.exe`	2 rules	kusto
`parent_process_name`	contains	`powershell.exe`	2 rules	kusto
`parent_process_name`	in	`excel.exe`	3 rules	kusto, splunk
`parent_process_name`	in	`winword.exe`	3 rules	kusto, splunk
`CommandLine`	contains	`-accepteula`	2 rules	kusto
`CommandLine`	contains	`-ma`	2 rules	kusto, sigma
`CommandLine`	contains	`certutil`	2 rules	kusto, sigma
`CommandLine`	contains	`lsass`	2 rules	chronicle, kusto, sigma
`EventType`	eq	`InboundConnectionAccepted`	2 rules	kusto
`GlobalPrevalence`	lt	`1000`	2 rules	kusto
`ParentCommandLine`	eq	`svchost.exe -k netsvcs -p -s Schedule`	2 rules	kusto
`file_name`	contains	`msbuild.exe`	2 rules	kusto
`file_name`	eq	`ping.exe`	2 rules	kusto
`file_name`	in	`cmd.exe`	2 rules	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
Dev-0228 File Path Hashes November 2021 source high: This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.
Exchange Worker Process Making Remote Call source medium: This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.

Show 17 more (42 total)

Probable AdFind Recon Tool Usage source high: This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.
Ingress Tool Transfer - Certutil source low: This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.
Access Token Manipulation - Create Process with Token source medium: This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. Additionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID.
Disable or Modify Windows Defender source medium: This detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying purposes. Note that this detection is imperfect and is only meant to serve as basis for building a more resilient detection rule. Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule. See blogpost (https://medium.com/falconforce/falconfriday-av-manipulation-0xff0e-67ed4387f9ab?source=friends_link&sk=3c7c499797bbb4d74879e102ef3ecf8f) for more resilience considerations. The current approach can easily be bypassed by not using the powershell.exe executable. Consider adding more ways to detect this behavior.
Match Legitimate Name or Location - 2 source medium: Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes. This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
Oracle suspicious command execution source medium: The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
Remote Desktop Protocol - SharpRDP source medium: This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
Rename System Utilities source medium: Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames. This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename. This query is really heavy on resources. Use it with care.
Suspicious parentprocess relationship - Office child processes. source medium: The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else.
Trusted Developer Utilities Proxy Execution source medium: This detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
Detecting UAC bypass - elevated COM interface source medium: This query identifies processes spawned with high integrity from dllhost.exe with a command line that contains one of three specific CLSID GUIDs.
Detecting UAC bypass - modify Windows Store settings source medium: This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
Detecting UAC bypass - ChangePK and SLUI registry tampering source medium: This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
Java Executing cmd to run Powershell source high: This query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
DopplePaymer Procdump source high: This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects ProcDump being used to dump credentials from LSASS. The See also section below lists links to other queries associated with DoppelPaymer. References: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB https://docs.microsoft.com/sysinternals/downloads/procdump https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
LSASS Credential Dumping with Procdump source high: This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 2. CVE-2021-26857 3. CVE-2021-26858 4. CVE-2021-27065 The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts. More queries related to this threat can be found under the See also section of this page. Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
Doppelpaymer Stop Services source high: This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects attempts to stop security services. The See also section below lists links to other queries associated with DoppelPaymer. References: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceprocessevents/

ProcessCreated: Process created

Table: DeviceProcessEvents

Description

Process created

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA256`
`ProcessCommandLine`
`AccountName`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ProcessCreated`	8 rules	kusto
`GlobalPrevalence`	is_null		1 rule	kusto
`GlobalPrevalence`	lt	`200`	2 rules	kusto
`GlobalPrevalence`	lt	`100`	1 rule	kusto
`GlobalPrevalence`	lt	`250`	1 rule	kusto
`IsCertificateValid`	ne	`1`	1 rule	kusto
`OriginalFileName`	eq	`browsercore.exe`	1 rule	kusto, sigma
`ParentCommandLine`	contains	`schedule`	1 rule	kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Unsigned Windows System Binary source: This query searches for invocations of a number of commonly used and signed Windows binaries. It then finds invocations of these binaries where they are not properly signed.
Masquerading Renamed executables of interest source: This query searches for the original file name of a set of binaries that is known to be used by attackers. The OriginalFileName field is then matched to the actual file name. Where there isn't a match the results are returned, indicating the file has been renamed. The original file name field is derived from the PE header of the executable, which is the name of the binary during compilation.
Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.

Show 5 more (8 total)

Persistence Via Scheduled Tasks source: This query identifies binaries that run as a scheduled task, by looking at the parent process command line. Of the identified binaries running as scheduled tasks it finds suspicious binaries by looking at the file signature and global prevalence.
PRT Credential Stealing source: This query detects when BrowserCore.exe is accessed by a suspicious process. The BrowserCore.exe binary is responsible for allowing browser add-ons to use Single Sign On via Azure AD. This rule detects when an uncommon process interacts with the BrowserCore.exe process.
SQL Server spawning suspicious child process source: This query looks for potential abuse of the SQL Server stored procedure xp_cmdshell which allows command execution on the OS. Running xp_cmdshell on the system triggers the follow process chain: sqlservr.exe => xp_cmdshell 'whoami' => "cmd.exe /c" whoami => whoami.exe. This rule tries to identify running of suspicious commands as a grandchild of sqlservr.exe. The rule is based on a block-list of executables of LOLBINs and other known recon commands or any executable executed with a low prevalence.
Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).
Potential Kerberos Relaying Activity - MDE source: The below query detects potential Kerberos relaying event chain generated by KrbRelay.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceprocessevents/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Defender-DeviceProcessEvents

any: Process activity (any)

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

ProcessCreated: Process created

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

Keyboard shortcuts

Search operators