### Sensitive File Access and Service Installation Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Documents events related to accessing sensitive files that match Data Loss Prevention (DLP) policies and the installation of new services. ```APIDOC SensitiveFileRead: Description: A file that matched DLP policy was accessed or processes that are reading sensitive files such as ssh keys, Outlook mail archives etc. ServiceInstalled: Description: A service was installed. This is based on Windows event ID 4697, which requires the advanced security audit setting Audit Security System Extension. ``` -------------------------------- ### Install Microsoft Graph PowerShell Module Source: https://github.com/attackthesoc/azure-secops/blob/main/README.md Installs the Microsoft Graph PowerShell module for current user. This is a prerequisite for running Microsoft Graph PowerShell scripts. ```powershell Install-Module Microsoft.Graph -Scope CurrentUser ``` -------------------------------- ### Identify Low Prevalence Service Installations Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Endpoint/Low Prev Svc Installs by SvcName.md This KQL query identifies services installed with low prevalence across devices. It first defines a set of suspicious services based on their installation count (<= 3) and then filters the DeviceEvents to show details for these services, excluding those with a manual start type. ```KQL let susServices = DeviceEvents | where ActionType == "ServiceInstalled" | extend AdditionalFieldsParsed = parse_json(AdditionalFields) | evaluate bag_unpack(AdditionalFieldsParsed) //| where ServiceStartType != 3 // uncomment to exclude services installed with a start type of Manual | extend ServiceName = extract("^[a-zA-Z]+", 0, ServiceName) | summarize any(ReportId), count() by ServiceName | where count_ <= 3 | project any_ReportId; DeviceEvents | where ActionType == "ServiceInstalled" and ReportId in (susServices) | extend AdditionalFieldsParsed = parse_json(AdditionalFields) | evaluate bag_unpack(AdditionalFieldsParsed) | where ServiceStartType != 3 | extend ServiceName = extract("^[a-zA-Z]+", 0, ServiceName) ``` -------------------------------- ### Identify Multiple Missing Agents Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Endpoint/EndpointMissingAgents.md This KQL query identifies devices missing one or more specified security agents. It identifies active devices through logon events and then compares the installed software in DeviceTvmSoftwareInventory against a list of target agents, highlighting any discrepancies. ```KQL let targetAgents = dynamic(["", ""]); let activeDevices = DeviceLogonEvents | where TimeGenerated > ago(7d) | where LogonType == "Interactive"// or LogonType == "RemoteInteractive" | where AccountDomain == "" //set your domain | distinct DeviceName; DeviceTvmSoftwareInventory | where DeviceName in~ (activeDevices) | summarize Software = make_set(SoftwareName) by DeviceName | extend MissingAgents = set_difference(targetAgents, Software) | project-away Software ``` -------------------------------- ### Identify a Specific Missing Agent Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Endpoint/EndpointMissingAgents.md This KQL query identifies devices that are missing a particular security agent. It first finds active devices based on user logon events within the last 7 days and a specified domain, then checks the DeviceTvmSoftwareInventory to see which agents are installed, filtering for devices where the target agent is not present. ```KQL let targetAgent = ""; let activeDevices = DeviceLogonEvents | where TimeGenerated > ago(7d) | where LogonType == "Interactive"// or LogonType == "RemoteInteractive" | where AccountDomain =~ "" //set your domain | distinct DeviceName; DeviceTvmSoftwareInventory // according to the docs software inventory syncs every 24 hours but I reccomend | where DeviceName in~ (activeDevices) | summarize Software = tostring(make_set(SoftwareName)) by DeviceName | where Software !has targetAgent ``` -------------------------------- ### User Provisioning API/SCIM Failures Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Reports/UserProvisioningFailures.md This section outlines the API and SCIM (System for Cross-domain Identity Management) methods used for user provisioning and how to identify failures. It covers the general approach to querying logs for provisioning errors and extracting relevant details. ```APIDOC API/SCIM User Provisioning Failures: Purpose: To identify and retrieve error information for user provisioning failures related to enterprise applications. Methods: - SCIM Provisioning Endpoints: Standard SCIM endpoints (e.g., /Users, /Groups) are used for user and group provisioning. Failures can occur during create, update, or delete operations. - Audit Logs: System audit logs (e.g., Azure AD Audit Logs, Defender XDR AuditLogs) record provisioning events and their outcomes. Error Identification: - Filter audit logs for operations related to user provisioning (e.g., 'Process escrow', 'Create User', 'Update User'). - Look for entries where the 'Result' is 'failure' or similar indicators. - Parse log details to extract specific error messages, often prefixed with 'Error:'. Example Log Fields (Conceptual): - OperationName: The specific provisioning action (e.g., 'Process escrow'). - Result: The outcome of the operation (e.g., 'success', 'failure'). - ResultDescription: Detailed description of the operation's outcome, including error messages. - TargetResources: Array containing information about the target resource, often including display names for applications and users. Dependencies: - Access to Azure AD or Defender XDR audit logs. - Understanding of SCIM protocol and provisioning workflows. Limitations: - Specific log field names and structures may vary depending on the exact service and configuration. ``` -------------------------------- ### Live Response API Session Review Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Endpoint/Live Response via API Session Review.md This KQL query correlates commands run during a Live Response session initiated via API on individual endpoints using the row_window_session function. It identifies the Device name, binaries run, and the corresponding Live Response API command string. The query joins CloudAppEvents with DeviceProcessEvents to link API actions to specific processes and filters out noisy processes and certain configuration strings. ```KQL let lrSessionStarted = CloudAppEvents | where ActionType == "RunLiveResponseApi" | extend DeviceId = tostring(parse_json(RawEventData)["DeviceId"]) | extend CommandsString = tostring(parse_json(RawEventData)["CommandsString"]) | project TimeGenerated, DeviceId, CommandsString; let PIDs = lrSessionStarted | join kind=inner DeviceProcessEvents on $right.DeviceId == $left.DeviceId | extend timeDiff = abs(datetime_diff('second', TimeGenerated1, TimeGenerated))// <= 120 | where timeDiff <= 300 // Consider commenting out the line above ^^^ played with the idea of joining only where the event // occurred within minutes of eachother but there could easily be too much latency though and log ingest lag time | where InitiatingProcessCommandLine startswith @"""SenseIR.exe"" ""OnlineSenseIR"" | project DeviceId, ProcessId, CommandsString; PIDs | join DeviceProcessEvents on $right.InitiatingProcessId == $left.ProcessId , $right.DeviceId == $left.DeviceId | where FileName !in ("csc.exe", "conhost.exe") // noisy processes | where InitiatingProcessFileName == "powershell.exe" and InitiatingProcessFileName == "powershell.exe" | where ProcessCommandLine !contains "ew0KICAgICJTY2FubmVyQXJncyI" // Disovery scan configs | where InitiatingProcessCommandLine !contains "eyJEZXRlY3Rpb25LZXlzIjp" // MDE deception lure configs | sort by DeviceId, TimeGenerated asc | extend EventSessionId = row_window_session(TimeGenerated, 10m, 3m, DeviceId != prev(DeviceId)) | project DeviceName, TimeGenerated, FileName, ProcessCommandLine, EventSessionId, CommandsString ``` -------------------------------- ### Process and Shell Link Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Covers events related to setting thread context via remote API calls and the creation of specially crafted shell link files. ```APIDOC SetThreadContextRemoteApiCall: Description: The context of a thread was set from a user-mode process. ShellLinkCreateFileEvent: Description: A specially crafted link file (.lnk) was generated. The link file contains unusual attributes that might launch malicious code along with a legitimate file or application. ``` -------------------------------- ### Process and File System Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Documents events related to file modifications, process creation, memory manipulation, network shares, and removable storage access. ```APIDOC FileTimestampModificationEvent: Description: File timestamp information was modified. LdapSearch: Description: An LDAP search was performed. LogonRightsSettingEnabled: Description: Interactive logon rights on the machine were granted to a user. MemoryRemoteProtect: Description: A process has modified the protection mask for a memory region used by another process. This might allow execution of content from non-executable memory. NamedPipeEvent: Description: A named pipe was created or opened. NetworkProtectionUserBypassEvent: Description: A user has bypassed network protection and accessed a blocked IP address, domain, or URL. NetworkShareObjectAccessChecked: Description: A request was made to access a file or folder shared on the network and permissions to the share was evaluated. NetworkShareObjectAdded: Description: A file or folder was shared on the network. NetworkShareObjectDeleted: Description: A file or folder shared on the network was deleted. NetworkShareObjectModified: Description: A file or folder shared on the network was modified. PasswordChangeAttempt: Description: An attempt to change a user password was made. PlistPropertyModified: Description: A property in the plist was modified. PnpDeviceAllowed: Description: Device control allowed a trusted plug and play (PnP) device. PnpDeviceBlocked: Description: Device control blocked an untrusted plug and play (PnP) device. PnpDeviceConnected: Description: A plug and play (PnP) device was attached. PowerShellCommand: Description: A PowerShell alias function filter cmdlet external script application script workflow or configuration was executed from a PowerShell host process. PrintJobBlocked: Description: Device control prevented an untrusted printer from printing. ProcessCreatedUsingWmiQuery: Description: A process was created using Windows Management Instrumentation (WMI). ProcessPrimaryTokenModified: Description: A process's primary token was modified. PTraceDetected: Description: A process trace (ptrace) was found to have occurred on this device. RemoteDesktopConnection: Description: A Remote Desktop connection was established RemoteWmiOperation: Description: A Windows Management Instrumentation (WMI) operation was initiated from a remote device. RemovableStorageFileEvent: Description: Removable storage file activity matched a device control removable storage access control policy. RemovableStoragePolicyTriggered: Description: Device control detected an attempted read/write/execute event from a removable storage device. SafeDocFileScan: Description: SafeDoc file scan event. ``` -------------------------------- ### Identify User Provisioning Failures (Defender XDR) Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Reports/UserProvisioningFailures.md This KQL query retrieves a report on the latest application user provisioning (API/SCIM) failures. It filters for operations related to 'Process escrow' with a 'failure' result, extracts application and target user display names, and isolates error details. The query then summarizes the latest error details for each application and target user combination. ```KQL // Retrieve a report on the latest application user provisioning (api/scim) failures AuditLogs | where OperationName == @"Process escrow" and Result == @"failure" | extend ApplicationName = tostring(parse_json(TargetResources)[0]["displayName"]) | extend TargetUserDisplayName = tostring(parse_json(TargetResources)[1]["displayName"]) | extend ErrorDetails = substring(ResultDescription, indexof(ResultDescription, "Error:")) | summarize arg_max(TimeGenerated, ErrorDetails) by ApplicationName, TargetUserDisplayName ``` -------------------------------- ### Review Live Response Session Commands Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Endpoint/Live Response Session Review.md This KQL query correlates commands executed during a Live Response session on endpoints managed by Microsoft Defender for Endpoint. It filters out noisy processes and specific command-line arguments related to discovery scans and deception lures, then groups events into sessions based on time and device. ```KQL let PIDs = DeviceProcessEvents | where InitiatingProcessCommandLine startswith @"""SenseIR.exe"" ""OnlineSenseIR""" | project DeviceId, ProcessId; PIDs | join DeviceProcessEvents on $right.InitiatingProcessId == $left.ProcessId , $right.DeviceId == $left.DeviceId | where FileName !in ("csc.exe", "conhost.exe") // noisy processes | where InitiatingProcessFileName == "powershell.exe" | where ProcessCommandLine !contains "ew0KICAgICJTY2FubmVyQXJncyI" // Disovery scan configs | where InitiatingProcessCommandLine !contains "eyJEZXRlY3Rpb25LZXlzIjp" // MDE deception lure configs | sort by DeviceId, TimeGenerated asc | extend EventSessionId = row_window_session(TimeGenerated, 10m, 3m, DeviceId != prev(DeviceId)) | project DeviceName, TimeGenerated, FileName, ProcessCommandLine, EventSessionId ``` -------------------------------- ### Other Security Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Documentation for various other security-related events, including audit policy changes, BitLocker status, Bluetooth policy triggers, browser URL handling, brute-force detection, Control Flow Guard violations, Controlled Folder Access, remote thread creation, credential backup, device attestation, directory service changes, DNS responses, DPAPI access, driver loading, and Exploit Protection events. ```APIDOC AuditPolicyModification: Description: Changes in the Windows audit policy (which feed events to the event log). BitLockerAuditCompleted: Description: An audit for BitLocker encryption was completed. BluetoothPolicyTriggered: Description: A Bluetooth service activity was allowed or blocked by a device control policy. BrowserLaunchedToOpenUrl: Description: A web browser opened a URL that originated as a link in another application. BruteForceActivityDetected: Description: Brute-force attempts to sign in were detected by Microsoft Defender for Endpoint. ControlFlowGuardViolation: Description: Control Flow Guard terminated an application after detecting an invalid function call. ControlledFolderAccessViolationAudited: Description: Controlled folder access detected an attempt to modify a protected folder. ControlledFolderAccessViolationBlocked: Description: Controlled folder access blocked an attempt to modify a protected folder. CreateRemoteThreadApiCall: Description: A thread that runs in the virtual address space of another process was created. CredentialsBackup: Description: The backup feature in Credential Manager was initiated. DeviceBootAttestationInfo: Description: System Guard generated a boot-time attestation report. DirectoryServiceObjectCreated: Description: An object was added to the directory service. DirectoryServiceObjectModified: Description: An object in the directory service was modified. DnsQueryResponse: Description: A response to a DNS query was sent. DpapiAccessed: Description: Decription of saved sensitive data encrypted using DPAPI. DriverLoad: Description: A driver was loaded. ExploitGuardAcgAudited: Description: Arbitrary code guard (ACG) in exploit protection detected an attempt to modify code page permissions or create unsigned code pages. ExploitGuardAcgEnforced: Description: Arbitrary code guard (ACG) blocked an attempt to modify code page permissions or create unsigned code pages. ExploitGuardChildProcessAudited: Description: Exploit protection detected the creation of a child process. ExploitGuardChildProcessBlocked: Description: Exploit protection blocked the creation of a child process. ExploitGuardEafViolationAudited: Description: Export address filtering (EAF) in exploit protection detected possible exploitation activity. ExploitGuardEafViolationBlocked: Description: Export address filtering (EAF) in exploit protection blocked possible exploitation activity. ExploitGuardIafViolationAudited: Description: Import address filtering (IAF) in exploit protection detected possible exploitation activity. ExploitGuardIafViolationBlocked: Description: Import address filtering (IAF) in exploit protection blocked possible exploitation activity. ExploitGuardLowIntegrityImageAudited: Description: Exploit protection detected the launch of a process from a low-integrity file. ExploitGuardLowIntegrityImageBlocked: Description: Exploit protection blocked the launch of a process from a low-integrity file. ``` -------------------------------- ### SmartScreen Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Details events where Microsoft Defender SmartScreen provided warnings or was overridden by a user regarding application execution, web exploits, or URLs. ```APIDOC SmartScreenAppWarning: Description: SmartScreen warned about running a downloaded application that is untrusted or malicious. SmartScreenExploitWarning: Description: SmartScreen warned about opening a web page that contains an exploit. SmartScreenUrlWarning: Description: SmartScreen warned about opening a low-reputation URL that might be hosting malware or is a phishing site. SmartScreenUserOverride: Description: A user has overridden a SmartScreen warning and continued to open an untrusted app or a low-reputation URL. ``` -------------------------------- ### Windows Defender Antivirus Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Events related to the operation and detection capabilities of Windows Defender Antivirus. ```APIDOC AntivirusDefinitionsUpdated: Description: Security intelligence updates for Windows Defender Antivirus were applied successfully. AntivirusDefinitionsUpdateFailed: Description: Security intelligence updates for Windows Defender Antivirus were not applied. AntivirusDetection: Description: Windows Defender Antivirus detected a threat. AntivirusEmergencyUpdatesInstalled: Description: Emergency security intelligence updates for Windows Defender Antivirus were applied. AntivirusError: Description: Windows Defender Antivirus encountered an error while taking action on malware or a potentially unwanted application. AntivirusMalwareActionFailed: Description: Windows Defender Antivirus attempted to take action on malware or a potentially unwanted application but the action failed. AntivirusMalwareBlocked: Description: Windows Defender Antivirus blocked files or activity involving malware potentially unwanted applications or suspicious behavior. AntivirusReport: Description: Microsoft Defender Antivirus reported a threat, which can either be a memory, boot sector, or rootkit threat. AntivirusScanCancelled: Description: A Windows Defender Antivirus scan was cancelled. AntivirusScanCompleted: Description: A Windows Defender Antivirus scan completed successfully. AntivirusScanFailed: Description: A Windows Defender Antivirus scan did not complete successfully. AntivirusTroubleshootModeEvent: Description: The troubleshooting mode in Microsoft Defender Antivirus was used. ``` -------------------------------- ### USB Drive Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Covers events related to the mounting, unmounting, and drive letter changes of USB storage devices. ```APIDOC UsbDriveDriveLetterChanged: Description: The drive letter assigned to a mounted USB storage device was modified. UsbDriveMounted: Description: A USB storage device was mounted as a drive. UsbDriveUnmounted: Description: A USB storage device was unmounted. ``` -------------------------------- ### Detect Archiving Activity (7Zip, Tar) in Defender XDR Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Deception Alert Triage/Suspicious Archiving Activity.md This KQL query helps identify potential exfiltration staging by detecting the execution of archiving tools like 7Zip and Tar. It analyzes `AlertEvidence` and `DeviceFileEvents` within a two-hour window around a Deception alert. The query currently supports 7Zip (identified by company name 'Igor Pavlov') and Tar (identified by file description 'bsdtar archive tool'). ```KQL let alertID = ""; // change me let entities = AlertEvidence | where AlertId == alertID | where EntityType in ("Process") | summarize by TimeGenerated, DeviceId; entities | join DeviceFileEvents on $left.DeviceId == $right.DeviceId | where TimeGenerated1 between ((TimeGenerated - 1h) .. (TimeGenerated + 1h)) | where InitiatingProcessVersionInfoCompanyName == @"Igor Pavlov" or InitiatingProcessVersionInfoFileDescription == @"bsdtar archive tool" ``` -------------------------------- ### Screenshot and File Access Event Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Covers events related to taking screenshots and accessing sensitive files. ```APIDOC ScreenshotTaken: Description: A screenshot was taken. SensitiveFileRead: Description: A file that matched DLP policy was accessed or processes that are reading sensitive files such as ssh keys, Outlook mail archives etc. ``` -------------------------------- ### User Account Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Details events related to the creation, deletion, modification, and group membership changes of user accounts. ```APIDOC UserAccountAddedToLocalGroup: Description: A user was added to a security-enabled local group. UserAccountCreated: Description: A local SAM account or a domain account was created. UserAccountDeleted: Description: A user account was deleted. UserAccountModified: Description: A user account was modified. UserAccountRemovedFromLocalGroup: Description: A user was removed from a security-enabled local group. ``` -------------------------------- ### Exploit Protection Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Details events related to exploit protection mechanisms, including actions taken against malicious processes, unsigned files, ROP exploits, shared binaries, and system calls. ```APIDOC ExploitGuardNetworkProtectionAudited: Description: Network protection detected an attempt to access a malicious or unwanted IP address domain or URL. ExploitGuardNetworkProtectionBlocked: Description: Network protection blocked a malicious or unwanted IP address domain or URL. ExploitGuardNonMicrosoftSignedAudited: Description: Exploit protection detected the launch of a process from an image file that is not signed by Microsoft. ExploitGuardNonMicrosoftSignedBlocked: Description: Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft. ExploitGuardRopExploitAudited: Description: Exploit protection detected possible return-object programming (ROP) exploitation. ExploitGuardRopExploitBlocked: Description: Exploit protection blocked possible return-object programming (ROP) exploitation. ExploitGuardSharedBinaryAudited: Description: Exploit protection detected the launch of a process from a remote shared file. ExploitGuardSharedBinaryBlocked: Description: Exploit protection blocked the launch of a process from a file in a remote device. ExploitGuardWin32SystemCallAudited: Description: Exploit protection detected a call to the Windows system API. ExploitGuardWin32SystemCallBlocked: Description: Exploit protection blocked a call to the Windows system API. ``` -------------------------------- ### Firewall and Network Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Documents events related to firewall activity, including blocked inbound and outbound connections, and the status of the firewall service. ```APIDOC FirewallInboundConnectionBlocked: Description: A firewall or another application blocked an inbound connection using the Windows Filtering Platform. FirewallInboundConnectionToAppBlocked: Description: The firewall blocked an inbound connection to an app. FirewallOutboundConnectionBlocked: Description: A firewall or another application blocked an outbound connection using the Windows Filtering Platform. FirewallServiceStopped: Description: The firewall service was stopped. ``` -------------------------------- ### Host Logon Info for Deception Alerts (KQL) Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Deception Alert Triage/User_Host Logon Info.md This KQL query identifies host and account logon events on devices that were part of a deception-based alert. It filters DeviceLogonEvents within a two-hour window around the alert's timestamp, focusing on the implicated device and account. The query assumes the decoy was used on an MDE-managed device and requires an AlertId to be specified. ```KQL // Deception triage: Host/Acct // This query assumes the decoy was used on an MDE managed device // Identify the account that hit the decoy and how it accessed the system let alertID = ""; // change me let entities = AlertEvidence | where AlertId == alertID | where EntityType in ("Machine", "User") | summarize DeviceId = any(DeviceId), AccountName = any(AccountName) by TimeGenerated, AlertId; entities | join DeviceLogonEvents on $left.DeviceId == $right.DeviceId and $left.AccountName == $right.AccountName | where TimeGenerated1 between ((TimeGenerated - 1h) .. (TimeGenerated + 1h)) | project-away TimeGenerated, DeviceId1, Timestamp | project-rename TimeGenerated = TimeGenerated1 | sort by TimeGenerated // Keep an eye out for logins at odd hours or remote logins //| where parse_json(AdditionalFields).IsLocalLogon == false //| where isnotempty(RemoteIP) ``` -------------------------------- ### Attack Surface Reduction Rules Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Details on various Attack Surface Reduction (ASR) rules, including their detection, blocking, and warning bypass scenarios. These rules help prevent common malware and attack techniques. ```APIDOC AsrSafeModeRebootWarnBypassed: Description: User excluded ASR block for "Block rebooting machine in Safe Mode" rule enabled in WARN mode. AsrScriptExecutableDownloadAudited: Description: An attack surface reduction rule detected JavaScript or VBScript code launching downloaded executable content. AsrScriptExecutableDownloadBlocked: Description: An attack surface reduction rule blocked JavaScript or VBScript code from launching downloaded executable content. AsrScriptExecutableDownloadWarnBypassed: Description: User excluded ASR block for "Block JavaScript or VBScript from launching downloaded executable content" rule enabled in WARN mode. AsrUntrustedExecutableAudited: Description: An attack surface reduction rule detected the execution of an untrusted file that doesn't meet criteria for age or prevalence. AsrUntrustedExecutableBlocked: Description: An attack surface reduction rule blocked the execution of an untrusted file that doesn't meet criteria for age or prevalence. AsrUntrustedExecutableWarnBypassed: Description: User excluded ASR block for "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" rule enabled in WARN mode. AsrUntrustedUsbProcessAudited: Description: An attack surface reduction rule detected the execution of an untrusted and unsigned processes from a USB device. AsrUntrustedUsbProcessBlocked: Description: An attack surface reduction rule blocked the execution of an untrusted and unsigned processes from a USB device. AsrUntrustedUsbProcessWarnBypassed: Description: User excluded ASR block for "Block untrusted and unsigned processes that run from USB" rule enabled in WARN mode. AsrVulnerableSignedDriverAudited: Description: An attack surface reduction rule detected a signed driver that has known vulnerabilities. AsrVulnerableSignedDriverBlocked: Description: An attack surface reduction rule blocked a signed driver that has known vulnerabilities. AsrVulnerableSignedDriverWarnBypassed: Description: User excluded ASR block for "Block abuse of in-the-wild exploited vulnerable signed drivers" rule enabled in WARN mode. AsrWebShellOnServerAudited: Description: An attack surface reduction rule detected the creation of a webshell on a Windows Server machine. AsrWebShellOnServerBlocked: Description: An attack surface reduction rule blocked webshell creation activity on a Windows Server machine. AsrWebShellWarnBypassed: Description: User excluded ASR block for "Block Webshell creation for Servers" rule enabled in WARN mode. ``` -------------------------------- ### Detect Anti-Forensics Activity (Defender XDR) Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Endpoint/AntiForensicsActivityOnEndpoint.md Monitors suspicious executions of Windows utilities like rundll32.exe, fsutil.exe, wevtutil.exe, and others to detect anti-forensic actions such as clearing event logs, timestomping, and deleting shadow copies. It analyzes the command line arguments to identify specific malicious patterns. ```KQL DeviceProcessEvents | where FileName in~ ("rundll32.exe", "fsutil.exe", "wevtutil.exe", "auditpol.exe", "bcdedit.exe", "sdelete.exe", "cipher.exe", "wmic.exe", "powershell.exe", "cmd.exe", "del.exe", "vssadmin.exe") | where ( // Clearing Shimcache or AppCompatCache (FileName == "rundll32.exe" and ProcessCommandLine has_any ("ShimFlushCache", "BaseFlushAppcompatCache")) // USN Journal tampering or (FileName == "fsutil.exe" and ProcessCommandLine has "usn" and ProcessCommandLine !has "queryJournal") // Clearing Windows Event Logs or (FileName == "wevtutil.exe" and ProcessCommandLine has_any ("cl", "clear-log")) or (FileName == "powershell.exe" and ProcessCommandLine has_all ("Clear-EventLog")) or (FileName == "auditpol.exe" and ProcessCommandLine has "/clear") // Secure delete / Encryption overwrite or (FileName == "sdelete.exe") or (FileName == "cipher.exe" and ProcessCommandLine has "/w") // Disabling logging and security settings or (FileName == "bcdedit.exe" and ProcessCommandLine has_any ("/set bootstatuspolicy ignoreallfailures", "/set recoveryenabled no")) or (FileName == "wmic.exe" and ProcessCommandLine has_all ("shadowcopy", "delete")) // Deleting recent files, Prefetch, and browser history or (FileName == "cmd.exe" and ProcessCommandLine has "del" and ProcessCommandLine has_any ("\\Microsoft\\Windows\\Recent", "\\Windows\\Prefetch", "history", "cookies", "cache")) // Timestomping Detection or (FileName == "powershell.exe" and ProcessCommandLine has_all ("Set-ItemProperty", "LastWriteTime")) // Shadow Copy & System Recovery Deletion or (FileName == "vssadmin.exe" and ProcessCommandLine has_any ("delete", "resize")) or (FileName == "wmic.exe" and ProcessCommandLine has_all ("shadowcopy", "delete")) or (FileName == "bcdedit.exe" and ProcessCommandLine has_any ("/delete", "/set safeboot")) ) ``` -------------------------------- ### Tampering and Network Connection Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Documents attempts to tamper with Microsoft Defender XDR settings and connections to untrusted Wi-Fi networks. ```APIDOC TamperingAttempt: Description: An attempt to change Microsoft Defender XDR settings was made. UntrustedWifiConnection: Description: A connection was established to an open Wi-Fi access point that is set to connect automatically. ``` -------------------------------- ### Attack Surface Reduction Rules Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt This section details various Attack Surface Reduction (ASR) rules. Each rule is described by its event name, a brief explanation of the detected activity, and whether the action was blocked or bypassed. The rules cover a range of security threats including unauthorized process creation, credential theft, obfuscated scripts, and ransomware. ```APIDOC AsrAdobeReaderChildProcessBlocked: Description: An attack surface reduction rule blocked Adobe Reader from creating a child process. AsrAdobeReaderChildProcessWarnBypassed: Description: User excluded ASR block for "Block Adobe Reader from creating child processes" rule enabled in WARN mode. AsrExecutableEmailContentAudited: Description: An attack surface reduction rule detected the launch of executable content from an email client and or webmail. AsrExecutableEmailContentBlocked: Description: An attack surface reduction rule blocked executable content from an email client and or webmail. AsrExecutableEmailContentWarnBypassed: Description: User excluded ASR block for "Block Launching of executable content from email attachment" rule enabled in WARN mode. AsrExecutableOfficeContentAudited: Description: An attack surface reduction rule detected an Office application creating executable content. AsrExecutableOfficeContentBlocked: Description: An attack surface reduction rule blocked an Office application from creating executable content. AsrExecutableOfficeContentWarnBypassed: Description: User excluded ASR block for "Block Office applications from creating executable content" rule enabled in WARN mode. AsrLsassCredentialTheftAudited: Description: An attack surface reduction rule detected possible credential theft from lsass.exe. AsrLsassCredentialTheftBlocked: Description: An attack surface reduction rule blocked possible credential theft from lsass.exe. AsrLsassCredentialTheftWarnBypassed: Description: User excluded ASR block for "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" rule enabled in WARN mode. AsrObfuscatedScriptAudited: Description: An attack surface reduction rule detected the execution of scripts that appear obfuscated. AsrObfuscatedScriptBlocked: Description: An attack surface reduction rule blocked the execution of scripts that appear obfuscated. AsrObfuscatedScriptWarnBypassed: Description: User excluded ASR block for "Block execution of potentially obfuscated scripts" rule enabled in WARN mode. AsrOfficeChildProcessAudited: Description: An attack surface reduction rule detected an Office application spawning a child process. AsrOfficeChildProcessBlocked: Description: An attack surface reduction rule blocked an Office application from creating child processes. AsrOfficeChildProcessWarnBypassed: Description: User excluded ASR block for "Block all Office applications from creating child processes" rule enabled in WARN mode. AsrOfficeCommAppChildProcessAudited: Description: An attack surface reduction rule detected an Office communication app attempting to spawn a child process. AsrOfficeCommAppChildProcessBlocked: Description: An attack surface reduction rule blocked an Office communication app from spawning a child process. AsrOfficeCommAppChildProcessWarnBypassed: Description: User excluded ASR block for "Block Office communication application from creating child processes" rule enabled in WARN mode. AsrOfficeMacroWin32ApiCallsAudited: Description: An attack surface reduction rule detected Win32 API calls from Office macros. AsrOfficeMacroWin32ApiCallsBlocked: Description: An attack surface reduction rule blocked Win32 API calls from Office macros. AsrOfficeMacroWin32ApiCallsWarnBypassed: Description: User excluded ASR block for "Block Win32 API calls from Office macro" rule enabled in WARN mode. AsrOfficeProcessInjectionAudited: Description: An attack surface reduction rule detected an Office application injecting code into other processes. AsrOfficeProcessInjectionBlocked: Description: An attack surface reduction rule blocked an Office application from injecting code into other processes. AsrOfficeProcessInjectionWarnBypassed: Description: User excluded ASR block for "Block Office applications from injecting code into other processes" rule enabled in WARN mode. AsrPersistenceThroughWmiAudited: Description: An attack surface reduction rule detected an attempt to establish persistence through WMI event subscription. AsrPersistenceThroughWmiBlocked: Description: An attack surface reduction rule blocked an attempt to establish persistence through WMI event subscription. AsrPersistenceThroughWmiWarnBypassed: Description: User excluded ASR block for "Block persistence through WMI event subscription" rule enabled in WARN mode. AsrPsexecWmiChildProcessAudited: Description: An attack surface reduction rule detected the use of PsExec or WMI commands to spawn a child process. AsrPsexecWmiChildProcessBlocked: Description: An attack surface reduction rule blocked the use of PsExec or WMI commands to spawn a child process. AsrPsexecWmiChildProcessWarnBypassed: Description: User excluded ASR block for "Block Process Creations originating from PSExec & WMI commands" rule enabled in WARN mode. AsrRansomwareAudited: Description: An attack surface reduction rule detected ransomware activity. AsrRansomwareBlocked: Description: An attack surface reduction rule blocked ransomware activity. AsrRansomwareWarnBypassed: Description: User excluded ASR block for "Use advanced protection against ransomware" rule enabled in WARN mode. AsrSafeModeRebootAudited: Description: An attack surface reduction rule detected a configuration attempt to reboot a device in Safe mode. AsrSafeModeRebootBlocked: Description: An attack surface reduction rule blocked a configuration attempt to reboot a device in Safe mode. ``` -------------------------------- ### Scheduled Task Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Covers events related to the lifecycle of scheduled tasks, including creation, deletion, enabling, disabling, and updating. ```APIDOC ScheduledTaskCreated: Description: A scheduled task was created. ScheduledTaskDeleted: Description: A scheduled task was deleted. ScheduledTaskDisabled: Description: A scheduled task was turned off. ScheduledTaskEnabled: Description: A scheduled task was turned on. ScheduledTaskUpdated: Description: A scheduled task was updated. ``` -------------------------------- ### General Security Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt General security-related events not specific to a particular feature. ```APIDOC AccountCheckedForBlankPassword: Description: An account was checked for a blank password. ``` -------------------------------- ### Application Guard Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Events related to the operation of Application Guard for isolating untrusted web content. ```APIDOC AppGuardBrowseToUrl: Description: A URL was accessed from within an application guard container. AppGuardCreateContainer: Description: Application guard initiated an isolated container. AppGuardLaunchedWithUrl: Description: The opening of an untrusted URL has initiated an application guard container. AppGuardResumeContainer: Description: Application guard resumed an isolated container from a suspended state. AppGuardStopContainer: Description: Application guard stopped an isolated container. AppGuardSuspendContainer: Description: Application guard suspended an isolated container. ``` -------------------------------- ### API Call Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Logs events where specific Windows API functions are called, indicating potential system interactions or malicious activities. ```APIDOC GetAsyncKeyStateApiCall: Description: The GetAsyncKeyState function was called. This function can be used to obtain the states of input keys and buttons. GetClipboardData: Description: The GetClipboardData function was called. This function can be used obtain the contents of the system clipboard. NtAllocateVirtualMemoryApiCall: Description: Memory was allocated for a process. NtAllocateVirtualMemoryRemoteApiCall: Description: Memory was allocated for a process remotely. NtMapViewOfSectionRemoteApiCall: Description: A section of a process's memory was mapped by calling the function NtMapViewOfSection. NtProtectVirtualMemoryApiCall: Description: The protection attributes for allocated memory was modified. OpenProcessApiCall: Description: The OpenProcess function was called indicating an attempt to open a handle to a local process and potentially manipulate that process. ReadProcessMemoryApiCall: Description: The ReadProcessMemory function was called indicating that a process read data from the process memory of another process. QueueUserApcRemoteApiCall: Description: An asynchronous procedure call (APC) was scheduled to execute in a user-mode thread. ``` -------------------------------- ### Application Control Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Events related to the enforcement and auditing of application control policies. ```APIDOC AppControlAppInstallationAudited: Description: Application control detected the installation of an untrusted app. AppControlAppInstallationBlocked: Description: Application control blocked the installation of an untrusted app. AppControlCIScriptAudited: Description: A script or MSI file generated by Windows LockDown Policy was audited. AppControlCIScriptBlocked: Description: A script or MSI file generated by Windows LockDown Policy was blocked. AppControlCodeIntegrityDriverRevoked: Description: Application control found a driver with a revoked certificate. AppControlCodeIntegrityImageAudited: Description: Application control detected an executable file that violated code integrity policies. AppControlCodeIntegrityImageRevoked: Description: Application control found an executable file with a revoked certificate. AppControlCodeIntegrityOriginAllowed: Description: Application control allowed a file due to its good reputation (ISG) or installation source (managed installer). AppControlCodeIntegrityOriginAudited: Description: Application control would have blocked a file due to its bad reputation (ISG) or installation source (managed installer) if the policy was enforced. AppControlCodeIntegrityOriginBlocked: Description: Application control blocked a file due to its bad reputation (ISG) or installation source (managed installer). AppControlCodeIntegrityPolicyAudited: Description: Application control detected a code integrity policy violation. AppControlCodeIntegrityPolicyBlocked: Description: Application control blocked a code integrity policy violation. AppControlCodeIntegrityPolicyLoaded: Description: An application control code integrity policy was loaded. AppControlCodeIntegritySigningInformation: Description: Application control signing information was generated. AppControlExecutableAudited: Description: Application control detected the use of an untrusted executable. AppControlExecutableBlocked: Description: Application control blocked the use of an untrusted executable. AppControlPackagedAppAudited: Description: Application control detected the use of an untrusted packaged app. AppControlPackagedAppBlocked: Description: Application control blocked the installation of an untrusted packaged app. AppControlPolicyApplied: Description: An application control policy was applied to the device. AppControlScriptAudited: Description: Application control detected the use of an untrusted script. AppControlScriptBlocked: Description: Application control blocked the use of an untrusted script. ``` -------------------------------- ### AppLocker Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Events related to AppLocker policies preventing unauthorized application execution. ```APIDOC AppLockerBlockExecutable: Description: AppLocker prevented an untrusted executable from running. AppLockerBlockPackagedApp: Description: AppLocker prevented an untrusted packaged app from running. AppLockerBlockPackagedAppInstallation: Description: AppLocker prevented the installation of an untrusted packaged app. AppLockerBlockScript: Description: AppLocker prevented an untrusted script from running. ``` -------------------------------- ### Security Group and Log Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Details events related to the management of security groups and the clearing of security logs. ```APIDOC SecurityGroupCreated: Description: A security group was created. SecurityGroupDeleted: Description: A security group was deleted. SecurityLogCleared: Description: The security log was cleared. ``` -------------------------------- ### Azure Security Operations KQL Queries Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/ConditionalAccessPolicies/CAP-Gap-Detections.md This snippet contains a collection of KQL queries for analyzing Azure security operations. It includes logic for identifying privileged roles, filtering sign-in logs based on various criteria such as authentication requirements, client applications, and network locations, and parsing device details. ```SQL let firstyPartyIds = dynamic(["c2ada927-a9e2-4564-aae2-70775a2fa0af","04436913-cf0d-4d2a-9cc6-2ffe7f1d3d1c"]); let privilegedRoles = dynamic(["Global Administrator", "Application Administrator", "Authentication Administrator", "Billing Administrator", "Cloud Application Administrator", "Conditional Access Administrator", "Exchange Administrator", "Helpdesk Administrator", "Password Administrator", "Privileged Authentication Administrator", "Privileged Role Administrator", "Security Administrator", "SharePoint Administrator", "User Administrator"]); let excludedResourceIds = dynamic([""]); let CAPTargetGroups = materialize ( ExposureGraphEdges | where EdgeLabel == "member of" and TargetNodeLabel == "group" | where TargetNodeName == "" | distinct SourceNodeName); let CAPTargetAdmins = IdentityInfo | where AssignedRoles has_any(privilegedRoles) | distinct AccountDisplayName; SigninLogs | where Identity in (CAPTargetGroups) | where ResultType == 0 //# Specify expected included/excluded Client App or comment-out for all | where ClientAppUsed == @"Mobile Apps and Desktop clients" or ClientAppUsed == @"Browser" | where AuthenticationRequirement == @"singleFactorAuthentication" or AuthenticationRequirement == @"multiFactorAuthentication" // when looking for single factor, exclude the expected | where ResourceId in (firstyPartyIds, excludedResourceIds) | where AppDisplayName != @"Windows Sign In" | where ResourceTenantId == AADTenantId | where ConditionalAccessStatus == "notApplied" //# Specify expected included/exlcuded ResourceDisplayName (ex. is of CAP excluded apps) | where ResourceDisplayName != @"" and AppDisplayName != @"" //# Parse out NetworkLocationDetails | mv-expand NetworkLocationDetails | extend NetworkLocationDetails = parse_json(NetworkLocationDetails) | extend NamedLocation = NetworkLocationDetails.networkNames | extend NetworkType = tostring(NetworkLocationDetails.networkType) | project-away NetworkLocationDetails //# Specify expected Device Details | extend DeviceDetail = parse_json(DeviceDetail) | extend DeviceId = DeviceDetail.deviceId, DisplayName = DeviceDetail.displayName, OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, IsCompliant = DeviceDetail.isCompliant, IsManaged = DeviceDetail.isManaged, TrustType = DeviceDetail.trustType | project-away DeviceDetail ``` -------------------------------- ### WMI and Memory Write Events Source: https://github.com/attackthesoc/azure-secops/blob/main/KQL/Table Info/DeviceEvents_ActionTypes.txt Documents events related to WMI event filter binding to consumers and processes writing data into the memory of other processes. ```APIDOC WmiBindEventFilterToConsumer: Description: A filter for WMI events was bound to a consumer. This enables listening for all kinds of system events and triggering corresponding actions, including potentially malicious ones. WriteToLsassProcessMemory: Description: The WriteProcessMemory function was called indicating that a process has written data into memory for another process. ```