Query Details

Rule Documentation: Suspicious Child Processes of PDQ Deploy Runner (Windows)

Suspicious PDQ Deploy Runner Child

Query

DeviceProcessEvents
| where InitiatingProcessParentFileName contains "PDQDeployRunner"
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "taskkill.exe", "at.exe", "wmic.exe", "bitsadmin.exe")

Notes:
Exclude trusted processes within your network

About this query

Rule Documentation: Suspicious Child Processes of PDQ Deploy Runner (Windows)

Description

This detection rule identifies suspicious child processes spawned by the PDQDeployRunner.exe process. PDQ Deploy is a legitimate software deployment tool, but it can be misused by attackers to execute malicious payloads. This rule monitors for unusual child processes that may indicate malicious activity.

Detection Logic

  • Monitors DeviceProcessEvents for child processes spawned by PDQDeployRunner.exe.
  • Identifies unusual or suspicious processes that are not commonly associated with legitimate PDQ Deploy activities.

Tags

  • Execution
  • Process Creation
  • PDQ Deploy
  • Suspicious Activity

Search Query

Explanation

This query is designed to detect potentially malicious activities involving the PDQDeployRunner.exe process, which is part of the PDQ Deploy software. PDQ Deploy is a legitimate tool used for software deployment, but it can be exploited by attackers to run harmful commands or scripts.

Key Points:

  • Purpose: To identify suspicious child processes started by PDQDeployRunner.exe.
  • Monitored Events: The query looks at DeviceProcessEvents to find child processes initiated by PDQDeployRunner.exe.
  • Suspicious Processes: It flags processes that are commonly associated with malicious activities, such as powershell.exe, cmd.exe, wscript.exe, and others listed in the query.

Query Breakdown:

  1. Source of Events: DeviceProcessEvents table.
  2. Parent Process Filter: The parent process must be PDQDeployRunner.exe.
  3. Child Process Filter: The child process must be one of the specified executables known for being used in attacks.

Actionable Note:

  • Exclude Trusted Processes: Make sure to exclude any processes that are known to be safe within your specific network environment to reduce false positives.

This rule helps in identifying and responding to potential misuse of PDQ Deploy for executing malicious commands or scripts.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 21, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

containsin~

Actions

GitHub