Uncommon processes detected in Azure Sentinel may indicate the execution of previously unseen malicious software or adversary tools that have not yet been cataloged in threat intelligence. SOC teams should proactively hunt for these processes to identify potential zero-day attacks or unknown threats that could compromise the environment.
KQL Query
let freqs = imProcessCreate
// filter out common randomly named files related to MSI installers and browsers
| where not(Process has_all ('TRA', '.tmp') and Process matches regex @"\\TRA[0-9A-Fa-f]{3,4}\.tmp")
| where not(Process has_all ('MSI', '.tmp') and Process matches regex @"\\MSI[0-9A-Fa-f]{3,4}\.tmp")
| extend FileName = tostring(split(Process, '\\')[-1])
// normalize guids
| extend FileName = replace("[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}", "<guid>", FileName)
| extend FileName = replace(@'\d', 'n', FileName)
| summarize frequency=count(), Since=min(TimeGenerated), LastSeen=max(TimeGenerated) by FileName , EventVendor, EventProduct;
let precentile_5 = toscalar ( freqs | summarize percentiles(frequency, 5));
freqs
| where frequency <= precentile_5
| order by frequency asc
| project FileName, frequency, precentile_5, Since, LastSeen , EventVendor, EventProduct
// restrict results to unusual processes seen in last day
| where LastSeen >= ago(1d)
| extend timestamp = LastSeen
id: 4e3af8e3-a29f-4eec-ac25-55517dca6512
name: Uncommon processes - bottom 5% (Normalized Process Events)
description: |
'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!)
These new processes could be benign new programs installed on hosts;
However, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run.
Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.'
requiredDataConnectors: []
tactics:
- Execution
query: |
let freqs = imProcessCreate
// filter out common randomly named files related to MSI installers and browsers
| where not(Process has_all ('TRA', '.tmp') and Process matches regex @"\\TRA[0-9A-Fa-f]{3,4}\.tmp")
| where not(Process has_all ('MSI', '.tmp') and Process matches regex @"\\MSI[0-9A-Fa-f]{3,4}\.tmp")
| extend FileName = tostring(split(Process, '\\')[-1])
// normalize guids
| extend FileName = replace("[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}", "<guid>", FileName)
| extend FileName = replace(@'\d', 'n', FileName)
| summarize frequency=count(), Since=min(TimeGenerated), LastSeen=max(TimeGenerated) by FileName , EventVendor, EventProduct;
let precentile_5 = toscalar ( freqs | summarize percentiles(frequency, 5));
freqs
| where frequency <= precentile_5
| order by frequency asc
| project FileName, frequency, precentile_5, Since, LastSeen , EventVendor, EventProduct
// restrict results to unusual processes seen in last day
| where LastSeen >= ago(1d)
| extend timestamp = LastSeen
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: A system administrator installs a new legitimate software tool like Wireshark or tcpdump for network analysis.
Filter/Exclusion: Exclude processes associated with known network analysis tools (e.g., tcpdump, Wireshark, nmap) or processes initiated by admin accounts with known installation tasks.
Scenario: A scheduled job runs a PowerShell script to perform routine system maintenance or patching.
Filter/Exclusion: Exclude processes initiated by scheduled tasks or scripts with known maintenance purposes (e.g., powershell.exe with specific command-line arguments related to patching or configuration updates).
Scenario: A developer deploys a new Docker container or Kubernetes pod using tools like docker or kubectl.
Filter/Exclusion: Exclude processes related to container orchestration tools (e.g., docker, kubectl, kubeadm) or processes running under development or CI/CD environments.
Scenario: A user runs a one-time diagnostic tool like Process Monitor (ProcMon) or Process Explorer to troubleshoot an application.
Filter/Exclusion: Exclude processes associated with system diagnostic tools (e.g., procmon.exe, procexp.exe) or processes initiated by users with elevated privileges for troubleshooting.
Scenario: A Windows Update or Group Policy update triggers a new process to apply system changes.
Filter/Exclusion: Exclude processes related to system updates (e.g., wuauclt.exe, gupdate.exe) or processes initiated during scheduled update windows.