let ADS_Signal = DeviceFileEvents
| where ActionType == "FileStreamsCreated" and FileName =~ "wermgr.exe"
| extend StreamName = tostring(parse_json(AdditionalFields).FileStreamName)
| where isnotempty(StreamName)
| extend Signal = "ADS_wermgr", SignalWeight = 30
| project Timestamp, ReportId, DeviceId, DeviceName, Signal, SignalWeight, SignalDetail = strcat("ADS stream=", StreamName, " parent=", InitiatingProcessFileName);
let RPDir_Signal = DeviceFileEvents
| where ActionType in ("FolderCreated", "FileCreated") and FolderPath contains @"\RP_"
| extend Signal = "RP_TempDir", SignalWeight = 20
| project Timestamp, ReportId, DeviceId, DeviceName, Signal, SignalWeight, SignalDetail = strcat("RP_ path=", FolderPath, " by=", InitiatingProcessFileName);
let MsMpEng_Signal = DeviceFileEvents
| where InitiatingProcessFileName =~ "MsMpEng.exe" and FolderPath contains @"\RP_"
| extend Signal = "MsMpEng_RP_Access", SignalWeight = 15
| project Timestamp, ReportId, DeviceId, DeviceName, Signal, SignalWeight, SignalDetail = strcat("MsMpEng in RP_ path=", FolderPath);
let Pipe_Signal = DeviceEvents
| where tostring(AdditionalFields) has "RoguePlanet"
| extend Signal = "NamedPipe_RoguePlanet", SignalWeight = 40
| project Timestamp, ReportId, DeviceId, DeviceName, Signal, SignalWeight, SignalDetail = strcat("pipe event=", ActionType, " proc=", InitiatingProcessFileName);
let Wermgr_Signal = DeviceProcessEvents
| where FileName =~ "wermgr.exe"
| where not (FolderPath startswith @"C:\Windows\System32\" or FolderPath startswith @"C:\Windows\SysWOW64\")
| extend Signal = "Wermgr_Anomaly", SignalWeight = 25
| project Timestamp, ReportId, DeviceId, DeviceName, Signal, SignalWeight, SignalDetail = strcat("wermgr outside System32 path=", FolderPath, " parent=", InitiatingProcessFileName);
let IsoMount_Signal = DeviceProcessEvents
| where (FileName in~ ("diskpart.exe", "mountvol.exe") or (FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe") and ProcessCommandLine has_any (".iso", ".vhd", ".vhdx", "Mount-DiskImage", "attach vdisk", "select vdisk", "VirtualDisk")))
| where ProcessIntegrityLevel in ("Medium", "Low") and AccountName !endswith "$"
| extend Signal = "IsoMount_UserContext", SignalWeight = 20
| project Timestamp, ReportId, DeviceId, DeviceName, Signal, SignalWeight, SignalDetail = strcat(AccountName, " ran=", FileName, " integrity=", ProcessIntegrityLevel);
let PrivEsc_Signal = DeviceProcessEvents
| where ProcessIntegrityLevel == "System"
| join kind=inner (
DeviceProcessEvents
| where ProcessIntegrityLevel in ("Medium", "Low")
| where FolderPath contains @"\RP_" or (FileName =~ "wermgr.exe" and not (FolderPath startswith @"C:\Windows\System32\" or FolderPath startswith @"C:\Windows\SysWOW64\"))
| project DeviceId, ParentPID = ProcessId, ParentProc = FileName, ParentPath = FolderPath, ParentIntegrity = ProcessIntegrityLevel
) on DeviceId, $left.InitiatingProcessId == $right.ParentPID
| extend Signal = "UserToSystem_PrivEsc", SignalWeight = 30
| project Timestamp, ReportId, DeviceId, DeviceName, Signal, SignalWeight, SignalDetail = strcat(ParentProc, "(", ParentIntegrity, ") from RP_/non-System32 path->", FileName, "(SYSTEM)");
union ADS_Signal, RPDir_Signal, MsMpEng_Signal, Pipe_Signal, Wermgr_Signal, IsoMount_Signal, PrivEsc_Signal
| summarize (Timestamp, ReportId) = arg_max(Timestamp, ReportId), Signals = make_set(Signal), SignalCount = dcount(Signal), AllDetails = make_set(SignalDetail) by DeviceId, DeviceName
| extend TotalScore = case(Signals has "ADS_wermgr", 30, 0) + case(Signals has "RP_TempDir", 20, 0) + case(Signals has "MsMpEng_RP_Access", 15, 0) + case(Signals has "NamedPipe_RoguePlanet", 40, 0) + case(Signals has "Wermgr_Anomaly", 25, 0) + case(Signals has "IsoMount_UserContext", 20, 0) + case(Signals has "UserToSystem_PrivEsc", 30, 0)
| where TotalScore >= 30 or Signals has "NamedPipe_RoguePlanet" or Signals has "ADS_wermgr"
| extend AlertSeverity = case(TotalScore >= 80, "Critical", TotalScore >= 50, "High", TotalScore >= 30, "Medium", "Informational")
| extend ThreatName = "RoguePlanet"
| project Timestamp, ReportId, DeviceId, DeviceName, ThreatName, AlertSeverity, TotalScore, SignalCount, Signals, AllDetails
| sort by TotalScore desc