Adversaries may deploy malicious executables through Default Domain or Domain Controller policies to gain persistent access across the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement and persistence mechanisms early.
KQL Query
let known_processes = (
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated between(ago(14d)..ago(1d))
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| summarize by Process);
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated > ago(1d)
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| where Process !in (known_processes)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
| extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
| project-away DomainIndex
id: 0dd2a343-4bf9-4c93-a547-adf3658ddaec
name: New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
description: |
'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.
A threat actor may use these policies to deploy files or scripts to all hosts in a domain.
This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvents
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- LateralMovement
relevantTechniques:
- T1072
- T1570
query: |
let known_processes = (
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated between(ago(14d)..ago(1d))
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| summarize by Process);
imProcess
// Change these values if adjusting Query Frequency or Query Period
| where TimeGenerated > ago(1d)
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| where Process !in (known_processes)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
| extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DvcHostname
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Community
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software depl
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/
Scenario: Scheduled System Maintenance Task Deploying a Legitimate EXE
Description: A system maintenance task, such as schtasks.exe, is configured to run a legitimate executable (e.g., cleanmgr.exe) as part of routine disk cleanup.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" AND process.file_name == "cleanmgr.exe"
Scenario: Group Policy Preferences (GPP) Deploying a Configuration Tool
Description: A Group Policy Preference is used to deploy a configuration tool like gpupdate.exe or regedit.exe to all domain-joined machines for policy synchronization.
Filter/Exclusion: process.file_name IN ("gpupdate.exe", "regedit.exe") AND event_id == "411" (or relevant GPP event ID)
Scenario: Software Deployment via Microsoft Endpoint Manager (Intune)
Description: A legitimate software deployment via Intune, such as deploying notepad++.exe, is pushed to all domain-joined devices.
Filter/Exclusion: process.file_name == "notepad++.exe" AND process.parent_process_name == "msiexec.exe" OR process.parent_process_name == "intunewsm.exe"
Scenario: Admin Task Using psexexec.exe to Run a Legitimate Tool
Description: An administrator uses psexec.exe to run a legitimate tool like PowerShell.exe on a remote machine for troubleshooting or configuration.
Filter/Exclusion: process.file_name == "PowerShell.exe" AND process.parent_process_name == "psexec.exe"
Scenario: Default Domain Controller Policy Deploying a System Tool
Description: A default Domain Controller policy is used to deploy a system tool like dcdiag.exe or `dsmgmt