0xffhh · June 21, 2021 09:11
diff --git a/randomrules b/randomrules
 DeviceFileEvents
 | where ActionType == "FileCreated" or ActionType == "FileModified"
 | where FileName endswith ".hta"
 | where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
 | where FileName != "<SNIP>"

 DeviceProcessEvents
 | where InitiatingProcessFileName == "mshta.exe"
 | where not(InitiatingProcessCommandLine contains "<SNIP>")
 | where not(InitiatingProcessCommandLine contains "<SNIP>")
 | where not(InitiatingProcessCommandLine contains "<SNIP>")
 | where not(InitiatingProcessCommandLine contains "<SNIP>")
 | where not(InitiatingProcessCommandLine contains "<SNIP>")

 DeviceProcessEvents
 | where FileName =~ "msbuild.exe"
 | where not(DeviceName == "<SNIP>") //exclude dedicated build
 | where not(InitiatingProcessFileName =~ "devenv.exe" or InitiatingProcessParentFileName =~ "devenv.exe") //visual studio
 | where not(InitiatingProcessFileName =~ "code.exe" or InitiatingProcessParentFileName =~ "code.exe") //visual studio code
 | where not(InitiatingProcessFileName =~ "powershell.exe" and InitiatingProcessParentFileName =~ "Agent.Worker.exe") //TFS build process. 



 Improved version of the first rule, which checks if the downloaded file has actually spawned a child process
 let htaDownloads = DeviceFileEvents
 | where ActionType == "FileCreated" or ActionType == "FileModified"
 | where FileName endswith ".hta"
 | where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
 | extend HtaFileName=tolower(FileName)
 | project HtaFileName, DeviceId;
 DeviceProcessEvents
 | where InitiatingProcessFileName =~ "mshta.exe"
 | join kind=inner (htaDownloads) on DeviceId
 | where InitiatingProcessCommandLine contains HtaFileName
	DeviceFileEvents
	\| where ActionType == "FileCreated" or ActionType == "FileModified"
	\| where FileName endswith ".hta"
	\| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
	\| where FileName != "<SNIP>"

	DeviceProcessEvents
	\| where InitiatingProcessFileName == "mshta.exe"
	\| where not(InitiatingProcessCommandLine contains "<SNIP>")
	\| where not(InitiatingProcessCommandLine contains "<SNIP>")
	\| where not(InitiatingProcessCommandLine contains "<SNIP>")
	\| where not(InitiatingProcessCommandLine contains "<SNIP>")
	\| where not(InitiatingProcessCommandLine contains "<SNIP>")

	DeviceProcessEvents
	\| where FileName =~ "msbuild.exe"
	\| where not(DeviceName == "<SNIP>") //exclude dedicated build
	\| where not(InitiatingProcessFileName =~ "devenv.exe" or InitiatingProcessParentFileName =~ "devenv.exe") //visual studio
	\| where not(InitiatingProcessFileName =~ "code.exe" or InitiatingProcessParentFileName =~ "code.exe") //visual studio code
	\| where not(InitiatingProcessFileName =~ "powershell.exe" and InitiatingProcessParentFileName =~ "Agent.Worker.exe") //TFS build process.



	Improved version of the first rule, which checks if the downloaded file has actually spawned a child process
	let htaDownloads = DeviceFileEvents
	\| where ActionType == "FileCreated" or ActionType == "FileModified"
	\| where FileName endswith ".hta"
	\| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "outlook.exe")
	\| extend HtaFileName=tolower(FileName)
	\| project HtaFileName, DeviceId;
	DeviceProcessEvents
	\| where InitiatingProcessFileName =~ "mshta.exe"
	\| join kind=inner (htaDownloads) on DeviceId
	\| where InitiatingProcessCommandLine contains HtaFileName