Most Common Services

Hunt Hypothesis

Adversaries may leverage commonly used services to establish persistent access or exfiltrate data undetected. SOC teams should proactively hunt for unusual activity within these common services to identify potential compromise in their Azure Sentinel environment.

KQL Query

//
DeviceTvmSoftwareVulnerabilities 
| where ingestion_time() > ago(7d)
| summarize arg_max(DeviceId, *) by SoftwareVendor, SoftwareName
| summarize DiscoveredOnDevicesCount = dcount(DeviceId) by SoftwareVendor, SoftwareName

Analytic Rule Definition

id: 4a5e9079-8fca-451a-99f5-a3384755a6e8
name: Most Common Services
description: |
  This query provides the most common services discovered
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceTvmSoftwareVulnerabilities
tactics:
- Initial Access
- Execution
relevantTechniques: []
query: |
  //
  DeviceTvmSoftwareVulnerabilities 
  | where ingestion_time() > ago(7d)
  | summarize arg_max(DeviceId, *) by SoftwareVendor, SoftwareName
  | summarize DiscoveredOnDevicesCount = dcount(DeviceId) by SoftwareVendor, SoftwareName

MITRE ATT&CK Context

• Tactic: Initial Access
• Tactic: Execution

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Most Common Services.yaml)

False Positive Guidance

• Scenario: Regularly scheduled system maintenance tasks using task scheduler
  Filter/Exclusion: Exclude events where the service name contains “TaskScheduler” or “ScheduledTask”
  Example: service_name:*TaskScheduler* or service_name:*ScheduledTask*

• Scenario: Administrative tasks using PowerShell to manage services
  Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes Start-Service or Stop-Service
  Example: process_name:powershell.exe AND command_line:*Start-Service* or command_line:*Stop-Service*

• Scenario: Automated backups using Veeam Backup & Replication
  Filter/Exclusion: Exclude events where the service name is VeeamBackup or VeeamBackupService
  Example: service_name:*VeeamBackup* or service_name:*VeeamBackupService*

• Scenario: Database maintenance jobs using SQL Server Agent
  Filter/Exclusion: Exclude events where the service name is SQLAgent or SQLServerAgent
  Example: service_name:*SQLAgent* or service_name:*SQLServerAgent*

• Scenario: Network monitoring tools like SolarWinds or PRTG running as services
  Filter/Exclusion: Exclude events where the service name contains “SolarWinds” or “PRTG”
  Example: service_name:*SolarWinds* or service service_name:PRTG`