KQL Search

Query Details

HomeAI ToolsDevice Query

Globally Rare Service

Query

// Globally Rare Service Executable
// Matches service executables to their file info and looks at global prevalence
let PrevalenceThreshold = 1000; // adjust as needed
DeviceEvents
| where ActionType == "ServiceInstalled"
| where FileName != ""  // Defender not capturing service executable sometimes -- needs investigation
//-- false positives
| where not (
    (FileName startswith "svchost.exe -k "  // lots of these
    or FileName == "CredentialEnrollmentManager.exe")  // Windows internal keychain
    and InitiatingProcessFileName == "svchost.exe")
| where not (
    FileName == "DBUtilDrv2.sys"  // Dell driver service
    and InitiatingProcessFileName == "drvinst.exe")
| where not (
    FileName == "Microsoft.Management.Services.CloudManagedDesktop.Agent.exe"  // Intune related
    and FolderPath == "C:\\Program Files\\Microsoft Cloud Managed Desktop Extension\\CMDExtension")
| where InitiatingProcessFileName != "msmpeng.exe"  // Defender Antivirus
//-- END false positives
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ServiceName = tostring(AdditionalFields.["ServiceName"])
| extend ServiceAccount = tostring(AdditionalFields.["ServiceAccount"])
| extend ServiceStartType = tostring(AdditionalFields.["ServiceStartType"])
| distinct DeviceName, FileName, FolderPath, ServiceName, ServiceAccount, ServiceStartType
| join kind=inner (
    DeviceFileEvents
    | where ActionType != "FileDeleted"
    ) on DeviceName, FileName, FolderPath
| where SHA256 != "" // Defender not capturing hashes ~10% of the time for some reason? Needs investigation
| summarize Count = count(), LastSeenTimestamp = max(Timestamp), Devices = make_set(DeviceName) by FileName, SHA256, ServiceName, ServiceAccount, ServiceStartType
| invoke FileProfile("SHA256")
| project-reorder LastSeenTimestamp, ServiceName, GlobalPrevalence
| where GlobalPrevalence < PrevalenceThreshold
| sort by GlobalPrevalence asc

Explanation

This query is looking for globally rare service executables. It matches service executables to their file information and examines their global prevalence. The query filters out false positives and captures additional fields such as service name, service account, and service start type. It then joins the results with device file events and summarizes the count, last seen timestamp, and devices for each unique combination of file name, SHA256 hash, service name, service account, and service start type. The query invokes the FileProfile function to retrieve the global prevalence of each file based on its SHA256 hash. Finally, it reorders the columns and filters the results based on a predefined prevalence threshold, sorting them in ascending order of global prevalence.

Details

C.J. May profile picture

C.J. May

Released: May 16, 2023

Tables

DeviceEventsDeviceFileEvents

Keywords

DeviceEvents,ActionType,FileName,InitiatingProcessFileName,FolderPath,AdditionalFields,ServiceName,ServiceAccount,ServiceStartType,DeviceName,SHA256,Timestamp,DeviceFileEvents,Count,LastSeenTimestamp,Devices,GlobalPrevalence

Operators

| where| extend| distinct| join| summarize| invoke| project-reorder| sort by

Actions