Endpoint Threat Protection Essentials

Endpoint Threat Protection Essentials Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.4
Author	Microsoft - support@microsoft.com
First Published	2022-11-16
Last Updated	2026-02-19
Solution Folder	Endpoint Threat Protection Essentials
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (72%)
Pre-requisites	Windows Security Events, Microsoft Defender XDR, Windows Forwarded Events

The Endpoint Threat Protection Essentials solution provides content to monitor, detect and investigate threats related to windows machines. The solution looks for things like suspicious commandlines, PowerShell based attacks, LOLBins, registry manipulation, scheduled tasks etc. which are some of the most commonly used techniques by attackers when targeting endpoints.

For details on the required solutions, see the Pre-requisites section below.

Keywords: LOLBins, PowerShell, Registry, Lsass, Commandline, scheduled tasks, Malware.

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 3 other solution(s):

Solution
Microsoft Defender XDR
Windows Forwarded Events
Windows Security Events

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Microsoft Defender XDR (dependency on Microsoft Defender XDR)
Security Events via Legacy Agent (dependency on Windows Security Events)
Windows Forwarded Events (dependency on Windows Forwarded Events)
Windows Security Events via AMA (dependency on Windows Security Events)

Tables Used

This solution queries 6 table(s) from its content items:

Table	Used By Content
`DeviceEvents`	Analytics, Hunting
`DeviceNetworkEvents`	Hunting
`DeviceProcessEvents`	Hunting
`Event`	Analytics, Hunting
`SecurityEvent`	Analytics, Hunting
`WindowsEvent`	Analytics, Hunting

Content Items

This solution includes 29 content item(s):

Content Type	Count
Hunting Queries	15
Analytic Rules	14

Analytic Rules

Name	Severity	Tactics	Tables Used
Base64 encoded Windows process command-lines	Medium	Execution, DefenseEvasion	`SecurityEvent` `WindowsEvent`
Detecting Macro Invoking ShellBrowserWindow COM Objects	Medium	LateralMovement	`Event`
Dumping LSASS Process Into a File	High	CredentialAccess	`Event`
Lateral Movement via DCOM	Medium	LateralMovement	`Event`
Malware in the recycle bin	Medium	DefenseEvasion	`SecurityEvent` `WindowsEvent`
Potential Remote Desktop Tunneling	Medium	CommandAndControl	`SecurityEvent`
Process executed from binary hidden in Base64 encoded file	Medium	Execution, DefenseEvasion	`SecurityEvent` `WindowsEvent`
Registry Persistence via AppCert DLL Modification	Medium	Persistence	`Event`
Registry Persistence via AppInit DLLs Modification	Medium	Persistence	`Event`
Security Event log cleared	Medium	DefenseEvasion	`SecurityEvent` `WindowsEvent`
Suspicious Powershell Commandlet Executed	Medium	Execution	`DeviceEvents`
WDigest downgrade attack	Medium	CredentialAccess	`Event`
Windows Binaries Executed from Non-Default Directory	Medium	Execution	`SecurityEvent`
Windows Binaries Lolbins Renamed	Medium	Execution	`Event`

Hunting Queries

Name	Tactics	Tables Used
Backup Deletion	Impact	`DeviceProcessEvents` `SecurityEvent` `WindowsEvent`
Certutil (LOLBins and LOLScripts, Normalized Process Events)	CommandAndControl	-
Detect Certutil (LOLBins and LOLScripts) Usage	CommandAndControl	`Event`
Download of New File Using Curl	CommandAndControl	`DeviceNetworkEvents` `SecurityEvent`
Execution of File with One Character in the Name	Execution	`Event`
Persisting via IFEO Registry Key	Persistence	`Event` `SecurityEvent` `WindowsEvent`
Potential Microsoft Security Services Tampering	DefenseEvasion	`DeviceProcessEvents` `Event` `SecurityEvent` `WindowsEvent`
Rare Windows Firewall Rule updates using Netsh	Execution	`DeviceProcessEvents` `Event` `SecurityEvent`
Remote Login Performed with WMI	Execution	`SecurityEvent`
Remote Scheduled Task Creation or Update using ATSVC Named Pipe	Persistence	`SecurityEvent`
Rundll32 (LOLBins and LOLScripts)	DefenseEvasion	`Event`
Scheduled Task Creation or Update from User Writable Directory	Execution	`SecurityEvent`
Suspicious Powershell Commandlet Execution	Execution	`DeviceEvents`
Unicode Obfuscation in Command Line	DefenseEvasion	`DeviceProcessEvents` `SecurityEvent`
Windows System Shutdown/Reboot (Normalized Process Events)	Impact	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.5	18-11-2024	Removed the broken URL in Analytic Rule and Hunting query
3.0.4	10-06-2024	Added entityMappings and added missing AMA DC reference in Analytical Rules and Hunting Queries
3.0.3	11-03-2024	Added few Hunting Queries to detect Endpoint Threats
3.0.2	21-02-2024	Tagged for dependent solutions for deployment
		Added New rules to detect Suspicious PowerShell Commandlet Exceutions
3.0.1	29-01-2024	Added subTechniques in Template
3.0.0	25-10-2023	Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR