Query Details

Detect the use of a new Sysinternal tool

New Sysinternal Tool Detected

Query

let SysInternalSuite = dynamic(["accesschk.exe","accesschk64.exe","AccessEnum.exe", "AdExplorer.exe","ADExplorer.exe","ADExplorer64.exe","ADInsight.chm","ADInsight.exe","ADInsight64.exe","adrestore.exe","adrestore64.exe","Autologon.exe","Autologon64.exe","autoruns.chm","Autoruns.exe","Autoruns64.exe","autorunsc.exe","autorunsc64.exe","Bginfo.exe","Bginfo64.exe","Cacheset.exe","Cacheset64.exe","Clockres.exe","Clockres64.exe","Contig.exe","Contig64.exe","Coreinfo.exe","Coreinfo64.exe","CPUSTRES.exe","CPUSTRES64.exe","ctrl2cap.amd.sys","ctrl2cap.exe","Dbgview.chm","Dbgview.exe","dbgview64.exe","Desktops.exe","Desktops64.exe","Disk2vhd.chm","disk2vhd.exe","disk2vhd64.exe","diskext.exe","diskext64.exe","Diskmon.exe","Diskmon64.exe","DiskView.exe","DiskView64.exe","du.exe","du64.exe","efsdump.exe","Eula.txt","FindLinks.exe","FindLinks64.exe","handle.exe","handle64.exe","hex2dec.exe","hex2dec64.exe","junction.exe","junction64.exe","ldmdump.exe","Listdlls.exe","Listdlls64.exe","livekd.exe","livekd64.exe","LoadOrd.exe","LoadOrd64.exe","LoadOrdC.exe","LoadOrdC64.exe","logonsessions.exe","logonsessions64.exe","movefile.exe","movefile64.exe","notmyfault.exe","notmyfault64.exe","notmyfaultc.exe","notmyfaultc64.exe","ntfsinfo.exe","ntfsinfo64.exe","pendmoves.exe","pendmoves64.exe","pipelist.exe","pipelist64.exe","portmon.exe","procdump.exe","procdump64.exe","procexp.chm","procexp.exe","procexp64.exe","procmon.chm","Procmon.exe","Procmon64.exe","PsExec.exe","PsExec64.exe","psfile.exe","psfile64.exe","PsGetsid.exe","PsGetsid64.exe","PsInfo.exe","PsInfo64.exe","pskill.exe","pskill64.exe","pslist.exe","pslist64.exe","PsLoggedon.exe","PsLoggedon64.exe","psloglist.exe","psloglist64.exe","pspasswd.exe","pspasswd64.exe","psping.exe","psping64.exe","PsService.exe","PsService64.exe","psshutdown.exe","psshutdown64.exe","pssuspend.exe","pssuspend64.exe","Pstools.chm","psversion.txt","RAMMap.exe","RAMMap64.exe","RDCMan.exe","readme.txt","RegDelNull.exe","RegDelNull64.exe","regjump.exe","ru.exe","ru64.exe","sdelete.exe","sdelete64.exe","ShareEnum.exe","ShareEnum64.exe","ShellRunas.exe","sigcheck.exe","sigcheck64.exe","streams.exe","streams64.exe","strings.exe","strings64.exe","sync.exe","sync64.exe","Sysmon.exe","Sysmon64.exe","tcpvcon.exe","tcpvcon64.exe","tcpview.chm","tcpview.exe","tcpview64.exe","Testlimit.exe","Testlimit64.exe","Vmmap.chm","vmmap.exe","vmmap64.exe","Volumeid.exe","Volumeid64.exe","whois.exe","whois64.exe","Winobj.exe","Winobj64.exe","ZoomIt.exe","ZoomIt64.exe"]);
let knownsysinternaltools = DeviceProcessEvents
     | where FileName in~ (SysInternalSuite)
     | where Timestamp between (ago(30d) .. ago(2d))
     | distinct FileName;
DeviceProcessEvents
| where Timestamp > ago(2d)
| where FileName in~ (SysInternalSuite) and FileName !in~ 
(knownsysinternaltools)
| project
     Timestamp,
     DeviceName,
     AccountDomain,
     AccountName,
     FileName,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     FolderPath

About this query

Explanation

This query is designed to detect the use of Sysinternal tools that haven't been used recently on a network. It checks for any Sysinternal tool that has been executed in the last two days but hasn't been used in the previous 30 days (for Defender XDR) or 90 days (for Sentinel). Here's a simplified breakdown:

  1. Sysinternal Tools List: The query defines a list of Sysinternal tools, which are utilities used for system diagnostics and troubleshooting.

  2. Identify Known Tools: It first identifies which of these tools have been used in the past 30 days (for Defender XDR) or 90 days (for Sentinel) and marks them as "known."

  3. Detect New Usage: The query then looks at the last two days of activity to find any Sysinternal tools that have been used but were not part of the "known" list. This helps in identifying any new or unusual usage of these tools.

  4. Output Details: For any newly detected tool usage, the query outputs details such as the time it was used, the device name, account information, the tool's file name, and the command line used to execute it.

This approach helps in monitoring and potentially identifying suspicious or unauthorized use of Sysinternal tools within a network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

SysinternalToolDeviceProcessEventsFileNameTimestampAccountDomainCommandLineInitiatingFolderPathTimeGenerated

Operators

letdynamicin~betweenagodistinct|whereand!in~project

Actions

GitHub