folder restructure for hunting queries, exploration queries, and built-in alerts aka detections. (#12)

Detections/SecurityEvent/base_encoded_pefile.txt

@@ -1,5 +1,21 @@
-// Finding base64 encoded PE files header seen in the command line parameters
-// Tags: #Initial Access, #Execution, #Defense Evasion
+// Name: Base64 encoded Windows executables in process commandlines
+
+// Description: finds instances of base64 encoded PE files header seen in process command line parameter.
+
+// Severity: Medium
+
+// QueryFrequency: 24
+
+// QueryPeriod: 24
+
+// AlertTriggerOperator: gt
+
+// AlertTriggerThreshold: 0
+
+// Data source: SecurityEvent
+
+// Techniques: #Initial Access, #Execution, #Defense Evasion
+
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688
@@ -11,4 +27,5 @@ InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",Init
 processEvents};
 ProcessCreationEvents
 | where ProcessCommandLine contains "TVqQAAMAAAAEAAA"
+| where TimeGenerated >= ago(24h)
 | top 1000 by TimeGenerated

Detections/SecurityEvent/execute_base64_decodedpayload.txt

@@ -0,0 +1,40 @@
+// Name: Process executed from binary hidden in Base64 encoded file. 
+
+// Description:  Encoding malicious software is a technique to obfuscate files from detection.
+//   The first ProcessCommandLine component is looking for Python decoding base64
+//   The second ProcesssCommandLine component is looking for the Bash/sh commandline base64 decoding tool
+//   The third one is looking for Ruby decoding base64
+
+// Severity: Medium
+
+// QueryFrequency: 24
+
+// QueryPeriod: 24
+
+// AlertTriggerOperator: gt
+
+// AlertTriggerThreshold: 0
+
+// Data source: SecurityEvent
+
+// Techniques: #Initial Access, #Execution, #Defense Evasion
+
+let ProcessCreationEvents=() {
+let processEvents=SecurityEvent
+| where EventID==4688
+| project  TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,AccountDomain=SubjectDomainName,
+FileName=tostring(split(NewProcessName, '\\')[-1], // convert SecurityEvents raw schema to get FileName & CommandLine 
+ProcessCommandLine = CommandLine, 
+FolderPath = "",
+InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
+processEvents ;
+};
+ProcessCreationEvents 
+| where TimeGenerated > ago(1d) 
+| where ProcessCommandLine contains ".decode('base64')"
+        or ProcessCommandLine contains "base64 --decode"
+        or ProcessCommandLine contains ".decode64(" 
+| project TimeGenerated , ComputerName , FileName , ProcessCommandLine , InitiatingProcessCommandLine 
+| top 100 by EventTime 
+
+

Detections/SecurityEvent/malware_in_recyclebin.txt

@@ -1,6 +1,22 @@
-// Finding attackers hiding malware in the recycle bin.
+// Name: Malware in the recycle bin.
+//
+// Description: finding attackers hiding malware in the recycle bin.
 // Read more here: https://azure.microsoft.com/en-us/blog/how-azure-security-center-helps-reveal-a-cyberattack/ 
-// Tags: #Execution, #Defense Evasion
+//
+// Severity: Medium
+//
+// QueryFrequency: 24
+//
+// QueryPeriod: 24
+//
+// AlertTriggerOperator: gt
+//
+// AlertTriggerThreshold: 0
+//
+// Data source: SecurityEvent
+//
+// Techniques: #Execution, #Defense Evasion
+//
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688

Functions/AlertsOnComputer.txt

@@ -0,0 +1,7 @@
+// If we also wanted to see what alerts fired on these machines we could extend the above query and join them with the SecurityAlerts table from Azure Security Center.
+// Azure Security Center must be enabled for this query to be valid
+| join (SecurityAlert
+                 | extend ExtProps=parsejson(ExtendedProperties)
+                 | extend Computer=toupper(tostring(ExtProps["Compromised Host"]))
+                 )
+on Computer

Hunting Queries/OfficeActivity/create_office_account.txt

@@ -0,0 +1,14 @@
+// Name: Summary of users creating new user accounts
+//
+// Description: creating new user accounts is a privileged activity that may be abused by attackers to provide persistent access.
+// Reviewing which user accounts have been created, and by whom, can help detect attacker attempts to provide themselves with backdoor access to data.
+//
+// Data source: OfficeActivity
+//
+// Techniques: #Persistence
+//
+OfficeActivity
+| where Operation == "Add user."
+| project addedBy=UserId, newUser=OfficeObjectId 
+| summarize newUserCount=dcount(newUser) by addedBy
+| render barchart

Hunting Queries/OfficeActivity/multiple_IPs_for_authentication.txt

@@ -1,10 +1,15 @@
-// Name: Accounts and User Agents associated with multiple IPs.
+// Name: Accounts and User Agents associated with multiple IPs in Office Azure Active Directory authentications.
+//
 // Description: summary of users/user agents associated with authentications from multiple IPs within a short timeframe.
 // This query computes and joins two tables to highlight IPs associated with multiple authentications:
 // 1- UserAgents seen in authentications from multiple IPs within short timeframe
 // 2- User Ids seen authenticated from multiple IPs
 // The time window join looks for instances of a small elpased time between logons.
-// Tags: #InitialAccess
+//
+// Data source: OfficeActivity
+//
+// Techniques: #InitialAccess
+//
 let timeRange=ago(7d);
 let officeAuthentications = 
 OfficeActivity

Hunting Queries/OfficeActivity/new_sharepoint_downloads_byIP.txt

@@ -0,0 +1,23 @@
+// Name: sharepoint downloads from previously unseen IP address.
+//
+// Description: Shows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. 
+// In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
+//
+// Data source: OfficeActivity
+//
+// Techniques: #Exfiltration
+//
+let historicalActivity=
+OfficeActivity
+| where  RecordType == "SharePointFileOperation"
+| where Operation in ("FileDownloaded", "FileUploaded")
+| where TimeGenerated between(ago(30d)..ago(7d))
+| summarize historicalCount=count() by ClientIP;
+let recentActivity = OfficeActivity
+| where  RecordType == "SharePointFileOperation"
+| where Operation in ("FileDownloaded", "FileUploaded")
+| where TimeGenerated > ago(1d) 
+| summarize recentCount=count() by ClientIP;
+recentActivity | join kind= leftanti (
+   historicalActivity 
+) on ClientIP; 

Hunting Queries/OfficeActivity/new_sharepoint_downloads_byUserAgent.txt

@@ -0,0 +1,25 @@
+// Name: sharepoint downloads from devices associated with previously unseen user agents.
+//
+// Description: tracking via user agent is one way to differentiate between types of connecting device. 
+// In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. 
+// In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume
+// which could be associated with large-scale document exfiltration.
+//
+// Data source: OfficeActivity
+//
+// Techniques: #Exfiltration
+//
+let historicalActivity=
+OfficeActivity
+| where  RecordType == "SharePointFileOperation"
+| where Operation in ("FileDownloaded", "FileUploaded")
+| where TimeGenerated between(ago(30d)..ago(7d))
+| summarize historicalCount=count() by UserAgent;
+let recentActivity = OfficeActivity
+| where  RecordType == "SharePointFileOperation"
+| where Operation in ("FileDownloaded", "FileUploaded")
+| where TimeGenerated > ago(1d) 
+| summarize recentCount=count() by UserAgent;
+recentActivity | join kind= leftouter (
+   historicalActivity 
+) on UserAgent; 

Hunting Queries/OfficeActivity/sharepoint_downloads.txt

@@ -0,0 +1,22 @@
+// Name: New user agents associated with a clientIP for sharepoint file uploads/downloads
+//
+// Description: New user agents associated with a clientIP for sharepoint file uploads/downloads. 
+//
+// Data source: OfficeActivity
+//
+// Techniques: #Exfiltration
+//
+let historicalUA=
+OfficeActivity
+| where  RecordType == "SharePointFileOperation"
+| where Operation in ("FileDownloaded", "FileUploaded")
+| where TimeGenerated between(ago(30d)..ago(7d))
+| summarize by ClientIP, UserAgent;
+let recentUA = OfficeActivity
+| where  RecordType == "SharePointFileOperation"
+| where Operation in ("FileDownloaded", "FileUploaded")
+| where TimeGenerated > ago(1d) 
+| summarize by ClientIP, UserAgent;
+recentUA | join kind=leftanti (
+   historicalUA 
+) on ClientIP, UserAgent; 

Hunting Queries/SecurityEvent/cscript_summary.txt

@@ -1,5 +1,11 @@
-// cscript script daily summary breakdown
-// Tags: #Execution
+// Name: cscript script daily summary breakdown
+//
+// Description:  breakdown of scripts running in the environment
+//
+// Data source: SecurityEvent
+//
+// Techniques: #Execution
+//
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688

Hunting Queries/SecurityEvent/enumeration_user_and_group.txt

@@ -1,5 +1,11 @@
-// The query finds attempts to list users or groups using Net commands
-// Tags: #Initial Access #Execution #Persistence #Lateral Movement #Discovery
+// Name: Enumeration of users and groups 
+
+// Description: finds attempts to list users or groups using the built-in Windows 'net' tool 
+
+// Data source: SecurityEvent
+
+// Techniques: #Discovery
+
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688

Hunting Queries/SecurityEvent/masquerading_files.txt

@@ -0,0 +1,21 @@
+// Name: masquerading files.
+
+// Description: Malware writers often use windows system process names for their malicious process names to make them blend 
+// in with other legitimate commands that the Windows system executes.
+// An analyst can create a simple query looking for a process named svchost.exe. 
+// It is recommended to filter out well-known security identifiers (SIDs) that are used to launch the legitimate svchost.exe process. 
+// The query also filters out the legitimate locations from which svchost.exe is launched.
+//
+// Data source: SecurityEvent
+//
+// Techniques: #Execution, #Defense Evasion
+//
+SecurityEvent
+| where ProcessName contains "svchost.exe"
+| where SubjectUserSid != "S-1-5-18"
+| where SubjectUserSid != "S-1-5-19"
+| where SubjectUserSid != "S-1-5-20"
+| where NewProcessName !contains ":\\Windows\\System32"
+| where NewProcessName !contains ":\\Windows\\Syswow64"
+
+  

Hunting Queries/SecurityEvent/persistence_create_account.txt

@@ -1,11 +1,16 @@
 // Name: Summary of users created using uncommon & undocumented commandline switches
-// Description: Summarizes users of uncommon & undocumented commandline switches to create persistance
+//
+// Description: Summarizes uses of uncommon & undocumented commandline switches to create persistence
 // User accounts may be created to achieve persistence on a machine.
 // Read more here: https://attack.mitre.org/wiki/Technique/T1136
 // Query for users being created using "net user" command
 // "net user" commands are noisy, so needs to be joined with another signal -
-// e.g. in this example we look  (e.g. /ad instead of /add)
-// Tags: #InitialAccess #Execution #LateralMovement #Persistance #DefenseEvasion 
+// e.g. in this example we look for some undocumented variations (e.g. /ad instead of /add)
+//
+// Data source: SecurityEvent
+//
+// Techniques: #Persistence
+//
 SecurityEvent
 | where EventID==4688
 | project  TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, 

Hunting Queries/SecurityEvent/powershell_downloads.txt

@@ -1,5 +1,11 @@
-// Finds PowerShell execution events that could involve a download.
-// Tags: #Initial Access, #Execution, #Persistence
+// Name: powershell downloads
+//
+// Description: Finds PowerShell execution events that could involve a download
+//
+// Data source: SecurityEvent
+//
+// Techniques: #Initial Access, #Execution, #Persistence
+//
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688

Hunting Queries/SecurityEvent/powershell_newencodedscipts.txt

@@ -1,5 +1,11 @@
-// Identify and decode new encoded powershell scripts this week versus previous fortnight - generic
-// Tags: #Initial Access, #Execution, #Persistence
+// Name: new powershell scripts encoded on the commandline
+//
+// Description: Identify and decode new encoded powershell scripts this week versus previous fortnight
+//
+// Data source: SecurityEvent
+//
+// Techniques: #Initial Access, #Execution, #Persistence
+//
 let ProcessCreationEvents=() {
 let processEvents=SecurityEvent
 | where EventID==4688

Hunting Queries/SecurityEvent/uncommon_processes.txt

@@ -1,15 +1,23 @@
+// Name: uncommon processes - bottom 5%
+//
+// Description: Identify and decode new encoded powershell scripts this week versus previous fortnight
+//
+// Description:
 // Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!)
 // These new processes could be benign new programs installed on hosts; 
 // However, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run. 
 // Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.
-// Uncommon processes/files - bottom 5%
-// Tags: #Initial Access, #Execution, #Persistence, #Privilege Escalation, #Credential Access, #Discovery, #Lateral Movement, #Collection, #Exfiltration, #Command and Control
+//
+// Data source: SecurityEvent
+//
+// Techniques: #Initial Access, #Execution, #Persistence, #Privilege Escalation, #Credential Access, #Discovery, #Lateral Movement, #Collection, #Exfiltration, #Command and Control
+//
 let ProcessCreationEvents=() {
     let processEvents=SecurityEvent
     | where EventID==4688
     // filter out common randomly named files related to MSI installers and browsers
-    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{3}.tmp")
-    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{4}.tmp")
+    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{3}\.tmp")
+    | where not(NewProcessName matches regex @"Temp\\[0-9]{1}\\TRA[0-9A-Fa-f]{4}\.tmp")
     | where not(NewProcessName matches regex @"Installer\\MSI[0-9A-Fa-f]{3}\.tmp")
     | where not(NewProcessName matches regex @"Installer\\MSI[0-9A-Fa-f]{4}\.tmp")
     | project TimeGenerated, 

Hunting Queries/SigninLogs/anomalous_app_azuread_signin.txt

@@ -1,7 +1,12 @@
-// Name: Anomalous Azure AD apps based on authentication location
+// Name: Anomalous Azure Active Directory apps based on authentication location
+//
 // Description: This query over Azure AD sign-in activity highlights Azure AD apps with 
 // an unusually high ratio of distinct geolocations versus total number of authentications
-// Tags: #InitialAccess
+//
+// Data source: SigninLogs
+//
+// Techniques: #InitialAccess
+//
 let timeRange=ago(14d);
 let azureSignIns = 
 SigninLogs

Hunting Queries/SigninLogs/new_locations_azuread_signin.txt

@@ -1,8 +1,12 @@
-// Name: azure AD signins from new locations.
-// Description: New AzureAD signin locations today versus historical Azure AD signin data
-// In the case of password spraying or brute force attacks 
-// one might see authentication attempts for many accounts from a new location.
-// Tags: #InitialAccess
+// Name: Azure Active Directory signins from new locations.
+//
+// Description: New Azure Active Directory signin locations today versus historical Azure Active Directory signin data
+// In the case of password spraying or brute force attacks one might see authentication attempts for many accounts from a new location.
+//
+// Data source: SigninLogs
+//
+// Techniques: #InitialAccess
+//
 SigninLogs
 | where TimeGenerated >= ago(1d)
 | summarize perIdentityAuthCount=count() by Identity,  locationString= strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";" , tostring(LocationDetails["geoCoordinates"]))

Hunting Queries/SigninLogs/signinBurstFromMultipleLocations.txt

@@ -1,7 +1,12 @@
-// Name: Signin burst from multiple locations
-// Description: This query over Azure AD sign-in activity highlights accounts associated
-// with multiple authentications from different geographical locations in a short space of time
-// Tags: #InitialAccess
+// Name: Azure Active Directory sign-in burst from multiple locations
+//
+// Description: This query over Azure Active Directory sign-in activity highlights accounts associated
+// with multiple authentications from different geographical locations in a short space of time.
+//
+// Data source: SigninLogs
+//
+// Techniques: #InitialAccess
+//
 let timeRange=ago(10d);
 let signIns = SigninLogs
 | where TimeGenerated >= timeRange

Hunting Queries/execution/execute_base64_decodedpayload.txt

@@ -1,24 +0,0 @@
-// Process executed from binary hidden in Base64 encoded file.  Encoding malicious software is a technique to obfuscate files from detection.
-//   The first ProcessCommandLine component is looking for Python decoding base64
-//   The second ProcesssCommandLine component is looking for the Bash/sh commandline base64 decoding tool
-//   The third one is looking for Ruby decoding base64
-// Tags: #Initial Access, #Execution, #Defense Evasion
-let ProcessCreationEvents=() {
-let processEvents=SecurityEvent
-| where EventID==4688
-| project  EventTime=TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,        AccountDomain=SubjectDomainName,
-FileName=reverse(substring(reverse(NewProcessName), 0, indexof(reverse(NewProcessName), "\\"))), // convert SecurityEvents raw schema to get FileName & CommandLine 
-ProcessCommandLine = CommandLine, 
-FolderPath = "",
-InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
-processEvents ;
-};
-ProcessCreationEvents 
-| where EventTime > ago(14d) 
-| where ProcessCommandLine contains ".decode('base64')"
-        or ProcessCommandLine contains "base64 --decode"
-        or ProcessCommandLine contains ".decode64(" 
-| project EventTime , ComputerName , FileName , ProcessCommandLine , InitiatingProcessCommandLine 
-| top 100 by EventTime 
-
-

Hunting Queries/execution/masquerading_files.txt

@@ -1,30 +0,0 @@
-// Malware writers often use windows system process names for their malicious process names to make them blend in with other legitimate commands that the Windows system executes.
-// an analyst can create a simple query looking for a process named Svchost.exe. 
-// It is recommended to filter out well-known security identifiers (SIDs) that are used to launch the legitimate svchost.exe process. 
-// The query also filters out the legitimate locations from which svchost.exe is launched.
-// Tags: #Execution, #Defense Evasion
-SecurityEvent
-| where TimeGenerated >= ago(2d)
-| where ProcessName contains "svchost.exe"
-| where SubjectUserSid != "S-1-5-18"
-| where SubjectUserSid != "S-1-5-19"
-| where SubjectUserSid != "S-1-5-20"
-| where NewProcessName !contains "C:\\Windows\\System32"
-| where NewProcessName !contains "C:\\Windows\\Syswow64"
-
-  
-// If we also wanted to see what alerts fired on these machines we could extend the above query and join them with the SecurityAlerts table from Azure Security Center.
-// Azure Security Center must be enabled for this query to be valid
-// Tags: #Execution
-SecurityEvent
-    | where EventID == 4624
-    | where AccountType == "User"
-    | where TimeGenerated >= ago(1d)
-    | extend Computer = toupper(Computer)
-    | summarize IndividualAccounts = dcount(Account) by Computer
-    | where IndividualAccounts > 4
-| join (SecurityAlert
-                 | extend ExtProps=parsejson(ExtendedProperties)
-                 | extend Computer=toupper(tostring(ExtProps["Compromised Host"]))
-                 )
-on Computer

Hunting Queries/exfiltration/sharepoint_downloads.txt

@@ -1,59 +0,0 @@
-//Shows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. 
-//In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
-// Tags: #Exfiltration
-let historicalActivity=
-OfficeActivity
-| where  RecordType == "SharePointFileOperation"
-| where Operation in ("FileDownloaded", "FileUploaded")
-| where TimeGenerated between(ago(30d)..ago(7d))
-| summarize historicalCount=count() by ClientIP;
-let recentActivity = OfficeActivity
-| where  RecordType == "SharePointFileOperation"
-| where Operation in ("FileDownloaded", "FileUploaded")
-| where TimeGenerated > ago(1d) 
-| summarize recentCount=count() by ClientIP;
-recentActivity | join kind= leftanti (
-   historicalActivity 
-) on ClientIP; 
-
-
-//Shows volume of documents uploaded to or downloaded from Sharepoint by user agent. 
-//Tracking via user agent is one way to differentiate between types of connecting device. 
-//In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. 
-//In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
-// Sharepoint - files downloaded/uploaded by new user agent
-// Tags: #Exfiltration
-let historicalActivity=
-OfficeActivity
-| where  RecordType == "SharePointFileOperation"
-| where Operation in ("FileDownloaded", "FileUploaded")
-| where TimeGenerated between(ago(30d)..ago(7d))
-| summarize historicalCount=count() by UserAgent;
-let recentActivity = OfficeActivity
-| where  RecordType == "SharePointFileOperation"
-| where Operation in ("FileDownloaded", "FileUploaded")
-| where TimeGenerated > ago(1d) 
-| summarize recentCount=count() by UserAgent;
-recentActivity | join kind= leftouter (
-   historicalActivity 
-) on UserAgent; 
-
-
-// Sharepoint -New user agents associated with a clientIP for sharepoint file uploads/downloads
-// Tags: #Exfiltration
-let historicalUA=
-OfficeActivity
-| where  RecordType == "SharePointFileOperation"
-| where Operation in ("FileDownloaded", "FileUploaded")
-| where TimeGenerated between(ago(30d)..ago(7d))
-// DEMO | where TimeGenerated between(datetime(2018-05-25)..datetime(2018-05-29 21:00)) // fake history
-| summarize by ClientIP, UserAgent;
-let recentUA = OfficeActivity
-| where  RecordType == "SharePointFileOperation"
-| where Operation in ("FileDownloaded", "FileUploaded")
-| where TimeGenerated > ago(1d) 
-// DEMO | where TimeGenerated between (datetime(2018-05-29 21:30)..datetime(2018-05-29 21:45)) 
-| summarize by ClientIP, UserAgent;
-recentUA | join kind=leftanti (
-   historicalUA 
-) on ClientIP, UserAgent; 

Hunting Queries/persistance/create_office_account.txt

@@ -1,9 +0,0 @@
-// Name: Summary of users creating new user accounts
-// Description: new user accounts may be an attacker providing themselves with backdoor access for some later date.
-// an account creating further accounts for the first time may be an indication of compromise
-// Tags: #Persistance
-OfficeActivity
-| where Operation == "Add user."
-| project addedBy=UserId, newUser=OfficeObjectId 
-| summarize newUserCount=dcount(newUser) by addedBy
-| render barchart