While running below query over Advance Hunting I got "An unexpected error occurred during query execution. Please try again in a few minutes."
I am not sure about the error but would like to understand why the error and how to resolve the same.
Query:
//Description:
//The query looks for several different MITRE techniques, grouped by risk level.
//A weighting is applied to each risk level and a total score calculated per machine
//Techniques can be added/removed as required
//
let weights = dynamic({"Low":1, "Medium":3, "High":5}); //Assign weights to the risk levels
//Low risk events
let lowRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "powershell.exe" and ProcessCommandLine has "-command") //T1086 PowerShell
or
(FileName =~ "powershell.exe" and ProcessCommandLine contains "-nop") //T1086 PowerShell
or
(FileName =~ "schtasks.exe" and ProcessCommandLine has "create") //T1053 Scheduled Task
or
(FileName =~ "installutil.exe") //T1118 InstallUtil
or
(FileName =~ "msbuild.exe") //T1127 Trusted Developer Utilities
or
(FileName =~ "nbtstat.exe") //T1016 System Network Configuration Discovery
or
(FileName == "mshta.exe") //T1170 Mshta
or
(FileName =~ "netsh.exe") //T1089 Disabling Security Tools, T1063 Security Software Discovery
or
(FileName == "net.exe" and ProcessCommandLine has " start ") //T1007 System Service Discovery
| extend Weight = toint((weights["Low"]));
//Medium risk events
let mediumRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "regsvcs.exe") //T1121 Regsvcs/Regasm
or
(FileName =~ "arp.exe" and ProcessCommandLine has "-a") //T1016 System Network Configuration Discovery
or
(FileName =~ "ipconfig.exe" and ProcessCommandLine has "all") //T1016 System Network Configuration Discovery
or
(FileName startswith "psexe") //T1035 Service Execution
or
(FileName == "net.exe" and ProcessCommandLine has " share ") //T1135 Network Share Discovery
or
(FileName =~ "netsh.exe" and ProcessCommandLine has "interface show") //T1016 System Network Configuration Discovery
| extend Weight = toint((weights["Medium"]));
//Higher risk events
let highRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "net.exe" and ProcessCommandLine has "config") //T1016 System Network Configuration Discovery
or
(FileName =~ "net.exe" and ProcessCommandLine has "time") //T1124 System Time Discovery
or
(FileName =~ "w32tm.exe" and ProcessCommandLine has "/tz") //T1124 System Time Discovery
or
(FileName == "cmstp.exe") //T1191 CMSTP
or
(FileName =~ "netsh.exe" and (ProcessCommandLine has "portproxy" or ProcessCommandLine has "p")) //T1090 Connection Proxy
| extend Weight = toint((weights["High"]));
union kind=outer lowRiskEvents, mediumRiskEvents, highRiskEvents
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, Weight
| summarize Start_Time=min(Timestamp), End_Time=max(Timestamp), Weight_Sum=sum(Weight), Processes=makeset(FileName), Commands=makeset(ProcessCommandLine) by DeviceName
| where Weight_Sum > 30
| sort by Weight_Sum desc
Query Source: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
Thanks & Regards,
Pratik Pashte