Commonality of Operating Systems

Hunt Hypothesis

Adversaries may target specific operating systems by exploiting known vulnerabilities or deploying malware tailored to those environments. SOC teams should proactively hunt for this behavior to identify potential attack vectors and prioritize systems that may be at higher risk based on observed OS distribution patterns.

KQL Query

//
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| summarize dcount(DeviceId) by OSDistribution

Analytic Rule Definition

id: 5a540d69-a196-4e1f-9029-df8a100aa4a7
name: Commonality of Operating Systems
description: |
  This query provides the commonality of operating systems seen in the inventory
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
tactics:
- Resource Development
relevantTechniques: []
query: |
  //
  DeviceInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | summarize dcount(DeviceId) by OSDistribution

MITRE ATT&CK Context

• Tactic: Resource Development

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Commonality of Operating Systems.yaml)

False Positive Guidance

• Scenario: A system administrator is performing a routine OS inventory update using Microsoft System Center Configuration Manager (SCCM).
  Filter/Exclusion: Exclude events related to SCCM inventory updates by checking for the presence of known SCCM agent processes or specific registry keys associated with SCCM.

• Scenario: A scheduled job runs to collect system information using PowerShell script Get-WmiObject to gather OS details for reporting purposes.
  Filter/Exclusion: Exclude PowerShell scripts that match known reporting scripts or include specific command-line arguments like -ComputerName with a list of known internal servers.

• Scenario: A Windows Update task is executed across multiple endpoints to ensure OS patches are applied, which temporarily increases OS detection activity.
  Filter/Exclusion: Exclude events where the source process is wuauclt.exe or where the event contains a known Windows Update task name.

• Scenario: An Ansible playbook is run to gather OS information from a fleet of Linux servers as part of a compliance check.
  Filter/Exclusion: Exclude events where the source process is ansible or where the command includes known Ansible modules like setup or winrm.

• Scenario: A remote desktop session is initiated from a management workstation, which temporarily increases OS detection activity due to session-related system queries.
  Filter/Exclusion: Exclude events where the source IP is a known management subnet or where the process is mstsc.exe or rdpclip.exe.