Adversaries may be leveraging suspicious activity patterns across multiple MITRE techniques to move laterally or exfiltrate data undetected. Proactively hunting for these behaviors in Azure Sentinel helps identify potential compromise early, reducing the risk of data loss and system disruption.
KQL Query
let weights = dynamic({"Low":1, "Medium":3, "High":5}); //Assign weights to the risk levels
//Low risk events
let lowRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "powershell.exe" and ProcessCommandLine has "-command") //T1086 PowerShell
or
(FileName =~ "powershell.exe" and ProcessCommandLine contains "-nop") //T1086 PowerShell
or
(FileName =~ "schtasks.exe" and ProcessCommandLine has "create") //T1053 Scheduled Task
or
(FileName =~ "installutil.exe") //T1118 InstallUtil
or
(FileName =~ "msbuild.exe") //T1127 Trusted Developer Utilities
or
(FileName =~ "nbtstat.exe") //T1016 System Network Configuration Discovery
or
(FileName == "mshta.exe") //T1170 Mshta
or
(FileName =~ "netsh.exe") //T1089 Disabling Security Tools, T1063 Security Software Discovery
or
(FileName == "net.exe" and ProcessCommandLine has " start ") //T1007 System Service Discovery
| extend Weight = toint((weights["Low"]));
//Medium risk events
let mediumRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "regsvcs.exe") //T1121 Regsvcs/Regasm
or
(FileName =~ "arp.exe" and ProcessCommandLine has "-a") //T1016 System Network Configuration Discovery
or
(FileName =~ "ipconfig.exe" and ProcessCommandLine has "all") //T1016 System Network Configuration Discovery
or
(FileName startswith "psexe") //T1035 Service Execution
or
(FileName == "net.exe" and ProcessCommandLine has " share ") //T1135 Network Share Discovery
or
(FileName =~ "netsh.exe" and ProcessCommandLine has "interface show") //T1016 System Network Configuration Discovery
| extend Weight = toint((weights["Medium"]));
//Higher risk events
let highRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "net.exe" and ProcessCommandLine has "config") //T1016 System Network Configuration Discovery
or
(FileName =~ "net.exe" and ProcessCommandLine has "time") //T1124 System Time Discovery
or
(FileName =~ "w32tm.exe" and ProcessCommandLine has "/tz") //T1124 System Time Discovery
or
(FileName == "cmstp.exe") //T1191 CMSTP
or
(FileName =~ "netsh.exe" and (ProcessCommandLine has "portproxy" or ProcessCommandLine has "p")) //T1090 Connection Proxy
| extend Weight = toint((weights["High"]));
union kind=outer lowRiskEvents, mediumRiskEvents, highRiskEvents
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, Weight
| summarize Start_Time=min(Timestamp), End_Time=max(Timestamp), Weight_Sum=sum(Weight), Processes=makeset(FileName), Commands=makeset(ProcessCommandLine) by DeviceName
| where Weight_Sum > 30
| sort by Weight_Sum desc
id: 132beb12-7146-45a5-9132-c82feee53b71
name: MITRE - Suspicious Events
description: |
Description:.
The query looks for several different MITRE techniques, grouped by risk level.
A weighting is applied to each risk level and a total score calculated per machine.
Techniques can be added/removed as required.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
let weights = dynamic({"Low":1, "Medium":3, "High":5}); //Assign weights to the risk levels
//Low risk events
let lowRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "powershell.exe" and ProcessCommandLine has "-command") //T1086 PowerShell
or
(FileName =~ "powershell.exe" and ProcessCommandLine contains "-nop") //T1086 PowerShell
or
(FileName =~ "schtasks.exe" and ProcessCommandLine has "create") //T1053 Scheduled Task
or
(FileName =~ "installutil.exe") //T1118 InstallUtil
or
(FileName =~ "msbuild.exe") //T1127 Trusted Developer Utilities
or
(FileName =~ "nbtstat.exe") //T1016 System Network Configuration Discovery
or
(FileName == "mshta.exe") //T1170 Mshta
or
(FileName =~ "netsh.exe") //T1089 Disabling Security Tools, T1063 Security Software Discovery
or
(FileName == "net.exe" and ProcessCommandLine has " start ") //T1007 System Service Discovery
| extend Weight = toint((weights["Low"]));
//Medium risk events
let mediumRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "regsvcs.exe") //T1121 Regsvcs/Regasm
or
(FileName =~ "arp.exe" and ProcessCommandLine has "-a") //T1016 System Network Configuration Discovery
or
(FileName =~ "ipconfig.exe" and ProcessCommandLine has "all") //T1016 System Network Configuration Discovery
or
(FileName startswith "psexe") //T1035 Service Execution
or
(FileName == "net.exe" and ProcessCommandLine has " share ") //T1135 Network Share Discovery
or
(FileName =~ "netsh.exe" and ProcessCommandLine has "interface show") //T1016 System Network Configuration Discovery
| extend Weight = toint((weights["Medium"]));
//Higher risk events
let highRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "net.exe" and ProcessCommandLine has "config") //T1016 System Network Configuration Discovery
or
(FileName =~ "net.exe" and ProcessCommandLine has "time") //T1124 System Time Discovery
or
(FileName =~ "w32tm.exe" and ProcessCommandLine has "/tz") //T1124 System Time Discovery
or
(FileName == "cmstp.exe") //T1191 CMSTP
or
(FileName =~ "netsh.exe" and (ProcessCommandLine has "portproxy" or ProcessCommandLine has "p")) //T1090 Connection Proxy
| extend Weight = toint((weigh| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is running routine system maintenance (e.g., disk cleanup, log rotation).
Filter/Exclusion: Exclude tasks with known maintenance names (e.g., DiskCleanup, LogCleaner) or filter by process name schtasks.exe or Task Scheduler.
Scenario: Admin User Performing System Updates
Description: An admin user is manually applying system updates via Windows Update or using wusa.exe to install patches.
Filter/Exclusion: Exclude processes initiated by admin users with known update-related commands or filter by wusa.exe and check for update-related command-line arguments.
Scenario: Database Backup Job Execution
Description: A database backup job is running using sqlcmd.exe or mysqldump to back up critical databases.
Filter/Exclusion: Exclude jobs with known backup names or filter by process names like sqlcmd.exe or mysqldump and check for backup-related command-line switches.
Scenario: Log File Rotation via PowerShell
Description: A PowerShell script is being used to rotate or archive log files (e.g., using Get-ChildItem and Move-Item).
Filter/Exclusion: Exclude PowerShell scripts with known log rotation names or filter by powershell.exe and check for log-related command-line arguments.
Scenario: User-Initiated File Copy or Move
Description: A user is copying or moving files using robocopy.exe, xcopy.exe, or standard file explorer operations.
Filter/Exclusion: Exclude processes with known file transfer names or filter by robocopy.exe or xcopy.exe and check for user-initiated file