KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious PDQ Deploy Runner Child

Query

# Rule Documentation: Suspicious Child Processes of PDQ Deploy Runner (Windows)

## Description
This detection rule identifies suspicious child processes spawned by the `PDQDeployRunner.exe` process. PDQ Deploy is a legitimate software deployment tool, but it can be misused by attackers to execute malicious payloads. This rule monitors for unusual child processes that may indicate malicious activity.

- [Detection.FYI on Suspicious Child Processes of PDQ Deploy Runner](https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children/)

## Detection Logic
- Monitors `DeviceProcessEvents` for child processes spawned by `PDQDeployRunner.exe`.
- Identifies unusual or suspicious processes that are not commonly associated with legitimate PDQ Deploy activities.

## Tags
- Execution
- Process Creation
- PDQ Deploy
- Suspicious Activity

## Search Query
```kql
DeviceProcessEvents
| where InitiatingProcessParentFileName contains "PDQDeployRunner"
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "taskkill.exe", "at.exe", "wmic.exe", "bitsadmin.exe")

Notes:
Exclude trusted processes within your network

Explanation

This query is designed to detect potentially malicious activities involving the PDQDeployRunner.exe process, which is part of the PDQ Deploy software. PDQ Deploy is a legitimate tool used for software deployment, but it can be exploited by attackers to run harmful commands or scripts.

Key Points:

  • Purpose: To identify suspicious child processes started by PDQDeployRunner.exe.
  • Monitored Events: The query looks at DeviceProcessEvents to find child processes initiated by PDQDeployRunner.exe.
  • Suspicious Processes: It flags processes that are commonly associated with malicious activities, such as powershell.exe, cmd.exe, wscript.exe, and others listed in the query.

Query Breakdown:

  1. Source of Events: DeviceProcessEvents table.
  2. Parent Process Filter: The parent process must be PDQDeployRunner.exe.
  3. Child Process Filter: The child process must be one of the specified executables known for being used in attacks.

Actionable Note:

  • Exclude Trusted Processes: Make sure to exclude any processes that are known to be safe within your specific network environment to reduce false positives.

This rule helps in identifying and responding to potential misuse of PDQ Deploy for executing malicious commands or scripts.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 21, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

containsin~

Actions