You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: This hunt detects processes named as legit Microsoft native binaries located in the system32 folder. Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
from logs-endpoint.events.process-*
| where @timestamp> NOW() -7 day
| whereevent.type=="start"andevent.action=="start"andhost.os.name =="Windows"and not starts_with(process.executable, "C:\\Program Files\\WindowsApps\\") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\") andprocess.name!="setup.exe"
| keep process.name.caseless, process.executable.caseless, process.code_signature.subject_name, process.code_signature.trusted, process.code_signature.exists, host.id/* system_bin contain Microsoft signed and located in system32 folder process names *//* non_system_bin contain non Microsoft signed process names */
| eval system_bin = case(starts_with(process.executable.caseless, "c:\\windows\\system32") and starts_with(process.code_signature.subject_name, "Microsoft") andprocess.code_signature.trusted == true, process.name.caseless, null), non_system_bin = case(process.code_signature.exists == false orprocess.code_signature.trusted != true or not starts_with(process.code_signature.subject_name, "Microsoft"), process.name.caseless, null)
/* aggregate unique process name counts by process.name and host.id */
| stats count_system_bin =count(system_bin), count_non_system_bin =count(non_system_bin) by process.name.caseless, host.id/* filter where the same process.name is present in both system_bin and non_system_bin */
| where count_system_bin >=1and count_non_system_bin >=1
Notes
Output of the query is the process.name and host.id where you can pivot by host.id and process.name (non Microsoft signed) to find the specific suspicious instances.
Potential false-positives include processes with missing code signature details due to enrichment bugs.
The queried index must capture process start events with code signature information (e.g. Windows event 4688 is not supported).