lawndoc · May 16, 2023 19:24
diff --git a/RareService.kusto b/RareService.kusto
 // credit to mRr3b00t @UK_Daniel_Card for the idea and starting point
 // Globally Rare Service Installation
 // Matches service executables to their file info and looks at global prevalence
 let PrevalenceThreshold = 1000; // adjust as needed
 DeviceEvents
 | where ActionType == "ServiceInstalled"
 | where FileName != ""  // Defender not capturing service executable sometimes -- needs investigation
 //-- false positives
 | where not (
    (FileName startswith "svchost.exe -k "  // lots of these
    or FileName == "CredentialEnrollmentManager.exe")  // Windows internal keychain
    and InitiatingProcessFileName == "svchost.exe")
 | where not (
    FileName == "DBUtilDrv2.sys"  // Dell driver service
    and InitiatingProcessFileName == "drvinst.exe")
 | where not (
    FileName == "Microsoft.Management.Services.CloudManagedDesktop.Agent.exe"  // Intune related
    and FolderPath == "C:\\Program Files\\Microsoft Cloud Managed Desktop Extension\\CMDExtension")
 | where InitiatingProcessFileName != "msmpeng.exe"  // Defender Antivirus
 //-- END false positives
 | extend AdditionalFields = todynamic(AdditionalFields)
 | extend ServiceName = tostring(AdditionalFields.["ServiceName"])
 | extend ServiceAccount = tostring(AdditionalFields.["ServiceAccount"])
 | extend ServiceStartType = tostring(AdditionalFields.["ServiceStartType"])
 | distinct DeviceName, FileName, FolderPath, ServiceName, ServiceAccount, ServiceStartType
 | join kind=inner (
    DeviceFileEvents
    | where ActionType != "FileDeleted"
    ) on DeviceName, FileName, FolderPath
 | where SHA256 != "" // Defender not capturing hashes ~10% of the time for some reason? Needs investigation
 | summarize Count = count(), LastSeenTimestamp = max(Timestamp), Devices = make_set(DeviceName) by FileName, SHA256, ServiceName, ServiceAccount, ServiceStartType
 | invoke FileProfile("SHA256")
 | project-reorder LastSeenTimestamp, ServiceName, GlobalPrevalence
 | where GlobalPrevalence < PrevalenceThreshold
 | sort by GlobalPrevalence asc
 | where GlobalPrevalence < PrevalenceThreshold
 | sort by GlobalPrevalence asc
	// credit to mRr3b00t @UK_Daniel_Card for the idea and starting point
	// Globally Rare Service Installation
	// Matches service executables to their file info and looks at global prevalence
	let PrevalenceThreshold = 1000; // adjust as needed
	DeviceEvents
	\| where ActionType == "ServiceInstalled"
	\| where FileName != "" // Defender not capturing service executable sometimes -- needs investigation
	//-- false positives
	\| where not (
	(FileName startswith "svchost.exe -k " // lots of these
	or FileName == "CredentialEnrollmentManager.exe") // Windows internal keychain
	and InitiatingProcessFileName == "svchost.exe")
	\| where not (
	FileName == "DBUtilDrv2.sys" // Dell driver service
	and InitiatingProcessFileName == "drvinst.exe")
	\| where not (
	FileName == "Microsoft.Management.Services.CloudManagedDesktop.Agent.exe" // Intune related
	and FolderPath == "C:\\Program Files\\Microsoft Cloud Managed Desktop Extension\\CMDExtension")
	\| where InitiatingProcessFileName != "msmpeng.exe" // Defender Antivirus
	//-- END false positives
	\| extend AdditionalFields = todynamic(AdditionalFields)
	\| extend ServiceName = tostring(AdditionalFields.["ServiceName"])
	\| extend ServiceAccount = tostring(AdditionalFields.["ServiceAccount"])
	\| extend ServiceStartType = tostring(AdditionalFields.["ServiceStartType"])
	\| distinct DeviceName, FileName, FolderPath, ServiceName, ServiceAccount, ServiceStartType
	\| join kind=inner (
	DeviceFileEvents
	\| where ActionType != "FileDeleted"
	) on DeviceName, FileName, FolderPath
	\| where SHA256 != "" // Defender not capturing hashes ~10% of the time for some reason? Needs investigation
	\| summarize Count = count(), LastSeenTimestamp = max(Timestamp), Devices = make_set(DeviceName) by FileName, SHA256, ServiceName, ServiceAccount, ServiceStartType
	\| invoke FileProfile("SHA256")
	\| project-reorder LastSeenTimestamp, ServiceName, GlobalPrevalence
	\| where GlobalPrevalence < PrevalenceThreshold
	\| sort by GlobalPrevalence asc
	\| where GlobalPrevalence < PrevalenceThreshold
	\| sort by GlobalPrevalence asc