Adding query for review

2021-12-17 08:55:38 -08:00 · 2021-12-17 08:55:38 -08:00 · 306066418e
--- a/Queries/Syslog/Container_Miner_Activity.yaml
+++ b/Queries/Syslog/Container_Miner_Activity.yaml
@ -0,0 +1,42 @@
+id: 6fee32b3-3271-4a3f-9b01-dbd9432a1707
+name: Possible Container Miner related artifacts detected
+description: |
+  'This query uses syslog data to alert on possible artifacts associated with container running image related to digital cryptocurrency mining.
+  Attackers may perform such operations post compromise as seen after CVE-2021-44228 log4j vulnerability exploitation to scope and prioritize post-compromise objectives.
+  For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description
+  Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431'
+requiredDataConnectors:
+  - connectorId: Syslog
+    dataTypes: 
+      - Syslog
+tactics:
+  - Impact
+  - Execution
+relevantTechniques:
+  - T1496
+  - T1203
+tags:
+  - CVE-2021-44228
+  - Log4j
+  - Log4Shell
+query: |
+  Syslog
+  | where Facility == 'user'
+  | where SyslogMessage has "AUOMS_EXECVE"
+  | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
+  | where EventType =~ "AUOMS_EXECVE"
+  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid
+  | where (exe has "docker" and cmdline has_any  ("monero-miner","minergate-cli","aeon-miner","xmr-miner")) or (exe has_any ("bash","dash") and cmdline has "docker kill" and cmdline has_any ("gakeaws","monero","xmr","pocosow"))
+  | project TimeGenerated, Computer, audit_user, user, cmdline
+  | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated
+  | sort by TimeGenerated desc
+entityMappings: 
+- entityType: Host
+  fieldMappings:
+    - identifier: FullName
+      columnName: HostCustomEntity
+- entityType: Account
+  fieldMappings:
+    - identifier: FullName
+      columnName: AccountCustomEntity
+version: 1.0.0