Query Details

Detection Title

Detection Template

Query

// Paste your query here
DeviceProcessEvents
| where FileName == "Example.File"

About this query

Detection Title

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1134.002Access Token Manipulation: Create Process with Tokenhttps://attack.mitre.org/techniques/T1134/002/

Description

Description of the detection rule.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Risk

Explain what risk this detection tries to cover

Author <Optional>

  • Name:
  • Github:
  • Twitter:
  • LinkedIn:
  • Website:

References

Defender XDR

Sentinel

// Paste your query here
DeviceProcessEvents
| where FileName == "Example.File"

Explanation

This query is designed to detect a specific security threat related to the manipulation of access tokens, specifically the creation of a process using a manipulated token. This technique is identified by the MITRE ATT&CK framework as T1134.002. The query focuses on monitoring events where a process is executed with a particular file name, "Example.File," which could indicate suspicious activity. The goal is to identify potential unauthorized access or privilege escalation attempts by observing these process creation events. The query can be used in both Defender XDR and Sentinel environments to enhance security monitoring and threat detection.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

DeviceProcessEvents|where==

MITRE Techniques

Actions

GitHub