Expansions strongify (#1329)
* Expansions strongify Mapping stringer identifiers * Fixing these up a bit to simplify and output additional entity mappings * Couple other tweaks Co-authored-by: Shain Wray (MSTIC) <shainw@microsoft.com>
This commit is contained in:
Родитель
533e0983f8
Коммит
3a4a479b1c
|
@ -20,9 +20,7 @@ relevantTechniques:
|
|||
- T1530
|
||||
- T1213
|
||||
- T1020
|
||||
|
||||
query: |
|
||||
|
||||
// Replace these with the usename or emails of your VIP users you wish to monitor for.
|
||||
let vips = dynamic(['vip1@email.com','vip2@email.com']);
|
||||
let timeframe = 1d;
|
||||
|
@ -30,3 +28,10 @@ query: |
|
|||
| where TimeGenerated > ago(timeframe)
|
||||
| where QueryText has_any (vips)
|
||||
| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
|
@ -47,7 +47,21 @@ query: |
|
|||
| extend UserIdUserFolderFormat = tolower(replace('@|\\.', '_',UserId))
|
||||
// identify when UserId is not a match to the specific site url personal folder reference
|
||||
| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false )
|
||||
| summarize TimeGenerated = make_list(TimeGenerated), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated),
|
||||
| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),
|
||||
UserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)
|
||||
by OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder
|
||||
|
||||
| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
- entityType: URL
|
||||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: URLCustomEntity
|
|
@ -20,7 +20,6 @@ relevantTechniques:
|
|||
- T1098
|
||||
- T1078
|
||||
query: |
|
||||
|
||||
let timeframe = 1h;
|
||||
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
|
||||
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$";
|
||||
|
@ -34,9 +33,8 @@ query: |
|
|||
// Exclude Remote Desktop Users group: S-1-5-32-555
|
||||
| where TargetSid !in ("S-1-5-32-555")
|
||||
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
|
||||
| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer,
|
||||
GroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid,
|
||||
GroupAddSubjectUserName = SubjectUserName, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;
|
||||
| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount,
|
||||
GroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;
|
||||
let GroupCreated = SecurityEvent
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
// 4727 - A security-enabled global group was created
|
||||
|
@ -44,20 +42,21 @@ query: |
|
|||
// 4754 - A security-enabled universal group was created
|
||||
| where EventID in ("4727", "4731", "4754")
|
||||
| where AccountType =~ "User"
|
||||
| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer,
|
||||
GroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName, GroupCreateSubjectUserName = SubjectUserName,
|
||||
GroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;
|
||||
| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount,
|
||||
GroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;
|
||||
GroupCreated
|
||||
| join (
|
||||
GroupAddition
|
||||
) on GroupSid
|
||||
| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectUserName, HostCustomEntity = GroupCreateComputer
|
||||
| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: SID
|
||||
columnName: GroupCreateSubjectUserSid
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
columnName: HostCustomEntity
|
|
@ -44,23 +44,23 @@ query: |
|
|||
let Kerbevent23h = Kerbevent
|
||||
| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
|
||||
| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)
|
||||
by Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status
|
||||
by Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status
|
||||
| where ServiceNameCountPrev23h < prev23hThreshold;
|
||||
let Kerbevent1h =
|
||||
Kerbevent
|
||||
| where TimeGenerated >= ago(endtime)
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)
|
||||
by Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;
|
||||
by Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;
|
||||
Kerbevent1h
|
||||
| join kind=leftanti
|
||||
(
|
||||
Kerbevent23h
|
||||
) on TargetUserName
|
||||
) on TargetUserName, TargetDomainName
|
||||
// Threshold value set above is based on testing, this value may need to be changed for your environment.
|
||||
| where ServiceNameCountPrev1h > prev1hThreshold
|
||||
| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,
|
||||
TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress
|
||||
TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,"\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
|
|
@ -19,7 +19,6 @@ relevantTechniques:
|
|||
- T1098
|
||||
- T1078
|
||||
query: |
|
||||
|
||||
let timeframe = 1d;
|
||||
let spanoftime = 10m;
|
||||
let threshold = 0;
|
||||
|
@ -28,28 +27,30 @@ query: |
|
|||
// A user account was created
|
||||
| where EventID == 4720
|
||||
| where AccountType =~ "User"
|
||||
| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName,
|
||||
AccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid
|
||||
| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName,
|
||||
AccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
|
||||
| join kind= inner (
|
||||
SecurityEvent
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
// A user account was deleted
|
||||
| where EventID == 4726
|
||||
| where AccountType == "User"
|
||||
| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName,
|
||||
AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid
|
||||
) on Computer, TargetUserName
|
||||
| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName,
|
||||
AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
|
||||
) on Computer, TargetAccount
|
||||
| where deletionTime - creationTime < spanoftime
|
||||
| extend TimeDelta = deletionTime - creationTime
|
||||
| where tolong(TimeDelta) >= threshold
|
||||
| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate,
|
||||
deletionTime, DeleteEventID, AccountUsedToDelete
|
||||
| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,
|
||||
deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete
|
||||
| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: SID
|
||||
columnName: SIDofAccountUsedToCreate
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
|
|
|
@ -19,7 +19,6 @@ relevantTechniques:
|
|||
- T1098
|
||||
- T1078
|
||||
query: |
|
||||
|
||||
let timeframe = 1d;
|
||||
let spanoftime = 10m;
|
||||
let threshold = 0;
|
||||
|
@ -28,28 +27,30 @@ query: |
|
|||
// A user account was enabled
|
||||
| where EventID == 4722
|
||||
| where AccountType =~ "User"
|
||||
| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName,
|
||||
AccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid
|
||||
| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName,
|
||||
AccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
|
||||
| join kind= inner (
|
||||
SecurityEvent
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
// A user account was disabled
|
||||
| where EventID == 4725
|
||||
| where AccountType == "User"
|
||||
| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName,
|
||||
AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid
|
||||
) on Computer, TargetUserName
|
||||
| where deletionTime - creationTime < spanoftime
|
||||
| extend TimeDelta = deletionTime - creationTime
|
||||
| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName,
|
||||
AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
|
||||
) on Computer, TargetAccount
|
||||
| where DisableTime - EnableTime < spanoftime
|
||||
| extend TimeDelta = DisableTime - EnableTime
|
||||
| where tolong(TimeDelta) >= threshold
|
||||
| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate,
|
||||
deletionTime, DeleteEventID, AccountUsedToDelete
|
||||
| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer
|
||||
| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable,
|
||||
DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable
|
||||
| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: SID
|
||||
columnName: SIDofAccountUsedToEnable
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
|
|
|
@ -19,15 +19,14 @@ relevantTechniques:
|
|||
- T1098
|
||||
- T1078
|
||||
query: |
|
||||
|
||||
let timeframe = 1d;
|
||||
SecurityEvent
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
| where EventID == 4720
|
||||
| where AccountType == "User"
|
||||
| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer),
|
||||
CreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName
|
||||
|join (
|
||||
CreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid
|
||||
| join (
|
||||
SecurityEvent
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
| where AccountType == "User"
|
||||
|
@ -35,20 +34,21 @@ query: |
|
|||
| where EventID == 4732
|
||||
//TargetSid is the builin Admins group: S-1-5-32-544
|
||||
| where TargetSid == "S-1-5-32-544"
|
||||
| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName,
|
||||
Domain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName),
|
||||
CreatedUserSid = MemberSid
|
||||
| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount),
|
||||
GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid
|
||||
)
|
||||
on CreatedUserSid
|
||||
//Create User first, then the add to the group.
|
||||
| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID,
|
||||
GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid
|
||||
| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID,
|
||||
GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser
|
||||
| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: SID
|
||||
columnName: CreatedUserSid
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
|
|
|
@ -30,14 +30,16 @@ query: |
|
|||
| extend Value_2050 = iff(UserAccountControl has "%%2050","'Password Not Required' - Disabled", "Not Changed")
|
||||
// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.
|
||||
| extend Value_2082 = iff(UserAccountControl has "%%2082","'Password Not Required' - Enabled", "Not Changed")
|
||||
| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer
|
||||
| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount
|
||||
| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: SID
|
||||
columnName: TargetSid
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
|
|
|
@ -36,14 +36,16 @@ query: |
|
|||
| where EventID == 4723
|
||||
// Removing Machine Accounts
|
||||
| where TargetUserName !endswith "$"
|
||||
) on TargetUserName, TargetDomainName
|
||||
| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, SubjectUserName
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer
|
||||
) on TargetAccount
|
||||
| project StartTime = TimeGenerated, EventID, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid
|
||||
| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: SID
|
||||
columnName: TargetSid
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
|
|
Загрузка…
Ссылка в новой задаче