Adversaries may use specific software names and versions to execute malicious payloads or maintain persistence through client-side exploitation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation attempts and mitigate lateral movement risks.
KQL Query
//
let SearchSoftwareName = "chrome";
let SoftwareKnownVersion = "10";
DeviceTvmSoftwareInventory
// to surface software that the version is not discovered for, remove SoftwareVersion filtering
| where SoftwareName == SearchSoftwareName
| where SoftwareVersion startswith SoftwareKnownVersion
id: 929d1046-11a9-40c1-977e-bd1984b30c31
name: Find Software By Name and Version
description: |
This query finds a software by name and/or version
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareInventory
tactics:
- Initial Access
- Execution
relevantTechniques:
- Exploitation for Client Execution
query: |
//
let SearchSoftwareName = "chrome";
let SoftwareKnownVersion = "10";
DeviceTvmSoftwareInventory
// to surface software that the version is not discovered for, remove SoftwareVersion filtering
| where SoftwareName == SearchSoftwareName
| where SoftwareVersion startswith SoftwareKnownVersion
Scenario: A system management tool like Microsoft System Center Configuration Manager (SCCM) is running a scheduled update scan.
Filter/Exclusion: Exclude processes associated with SCCM by checking the process name or using a field like process.parent_process_name to identify SCCM-related tasks.
Scenario: A Windows Task Scheduler job is executing a script that installs or updates software, such as Chocolatey or WSUS.
Filter/Exclusion: Use the process.parent_process_name field to filter out processes initiated by schtasks.exe or taskhost.exe.
Scenario: A database backup tool like SQL Server Backup Utility is running a scheduled backup, which may temporarily install or update components.
Filter/Exclusion: Exclude processes with process.name containing “sqlbackup” or use a process.parent_process_name filter for known backup tools.
Scenario: A remote desktop session (e.g., via RDP) is running a software installation or update as part of a user’s administrative task.
Filter/Exclusion: Use the process.user field to exclude non-admin users or filter out processes initiated from remote sessions using process.parent_process_name like mstsc.exe.
Scenario: A software update management tool like Microsoft Endpoint Configuration Manager is deploying updates to endpoints, which may trigger software installation events.
Filter/Exclusion: Exclude processes with process.name containing “ccm” or “Configuration Manager” and use process.parent_process_name to identify known deployment tools.