EndpointThreatEssetials_AnalyticsRules

2023-04-28 16:02:33 +05:30 · 2023-04-28 16:02:33 +05:30 · 3a97cf188c
--- a/Rules/DumpingLSASSProcessIntoaFile.yaml
+++ b/Rules/DumpingLSASSProcessIntoaFile.yaml
@ -1,9 +1,9 @@
 id: a7b9df32-1367-402d-b385-882daf6e3020
 name: Dumping LSASS Process Into a File
 description: | 
-  'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). 
-  After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. 
-  These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. 
+  'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
+  After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.
+  These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.
  As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
  Ref: https://attack.mitre.org/techniques/T1003/001/'
 severity: High
@ -22,19 +22,22 @@ relevantTechniques:
  - T1003.001
 query: |
  Event
-  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==10
+  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
  | parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
-  | where GrantedAccess == "0x1FFFFF" and TargetImage == "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
+  | where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
  | parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
  - entityType: Process
    fieldMappings:
      - identifier: CommandLine
        columnName: SourceImage
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/LateralMovementViaDCOM.yaml
+++ b/Rules/LateralMovementViaDCOM.yaml
@ -19,11 +19,12 @@ relevantTechniques:
  - T1021.003
 query: |
  Event
-  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
+  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1
  | parse EventData with * 'CommandLine">' CommandLine "<" * 'ParentCommandLine">' ParentCommandLine "<" *
-  | where ParentCommandLine == "C:\\Windows\\System32\\svchost.exe -k DcomLaunch" and CommandLine == "C:\\Windows\\System32\\mmc.exe -Embedding"
+  | where ParentCommandLine =~ "C:\\Windows\\System32\\svchost.exe -k DcomLaunch" and CommandLine =~ "C:\\Windows\\System32\\mmc.exe -Embedding"
  | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'Description">' Description "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: Process
    fieldMappings:
@ -31,11 +32,13 @@ entityMappings:
        columnName: CommandLine
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
+      - identifier: Name
        columnName: User
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml
+++ b/Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml
@ -19,11 +19,12 @@ relevantTechniques:
  - T1021.003
 query: |
 Event
-  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
+  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1
  | parse EventData with * 'Image">' Image "<" * 'CommandLine">' CommandLine "<" * 'ParentImage">' ParentImage "<" *
  | where ParentImage has "svchost.exe" and Image has "rundll32.exe" and CommandLine has "{c08afd90-f2a1-11d1-8455-00a0c91f3880}"
  | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Description">' Description "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: Process
    fieldMappings:
@ -31,11 +32,13 @@ entityMappings:
        columnName: CommandLine
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
  - entityType: Account
    fieldMappings:
-      - identifier: FullName
+      - identifier: Name
        columnName: User
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PotentialRemoteDesktopTunneling.yaml
+++ b/Rules/PotentialRemoteDesktopTunneling.yaml
@ -22,7 +22,7 @@ query: |
    | where EventID in (4624,4625) and LogonType in (10) and IpAddress in ("::1","127.0.0.1")
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress
    | extend Name=tostring(split(TargetUserName, "@")[0]), UPNSuffix=tostring(split(TargetUserName, "@")[1])
-    | extend HostName = substring(Computer,0,indexof(Computer,'.')), DnsDomain = substring(Computer,indexof(Computer,'.')+1)
+    | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: Account
    fieldMappings:
@ -40,5 +40,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IpAddress
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
--- a/Rules/RegistryPersistenceViaAppCertDLLModification.yaml
+++ b/Rules/RegistryPersistenceViaAppCertDLLModification.yaml
@ -20,10 +20,11 @@ relevantTechniques:
  - T1546.009
 query: |
  Event
-  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
+  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
  | parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 
  | where TargetObject has ("\\Control\\Session Manager\\AppCertDLLs\\")
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer,  TargetObject, Details
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: RegistryKey
    fieldMappings:
@ -31,7 +32,9 @@ entityMappings:
        columnName: TargetObject
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: Computer
-version: 1.0.0
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
+version: 1.0.1
 kind: Scheduled
--- a/Rules/RegistryPersistenceViaAppInt_DLLsModification.yaml
+++ b/Rules/RegistryPersistenceViaAppInt_DLLsModification.yaml
@ -20,10 +20,11 @@ relevantTechniques:
  - T1546.010
 query: |
  Event
-  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
+  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
  | parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 
  | where TargetObject has "\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: RegistryKey
    fieldMappings:
@ -31,7 +32,9 @@ entityMappings:
        columnName: TargetObject
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: Computer
-version: 1.0.0
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
+version: 1.0.1
 kind: Scheduled
--- a/Rules/SecurityEventLogCleared.yaml
+++ b/Rules/SecurityEventLogCleared.yaml
@ -39,7 +39,7 @@ query: |
  )
  )
  | extend Name=tostring(split(Account, "@")[0]), UPNSuffix=tostring(split(Account, "@")[1])
-  | extend HostName = substring(Computer,0,indexof(Computer,'.')), DnsDomain = substring(Computer,indexof(Computer,'.')+1)
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: Account
    fieldMappings:
@ -53,5 +53,5 @@ entityMappings:
        columnName: HostName
      - identifier: DnsDomain
        columnName: DnsDomain
-version: 1.1.3
+version: 1.1.4
 kind: Scheduled
--- a/Rules/WDigestDowngradeAttack.yaml
+++ b/Rules/WDigestDowngradeAttack.yaml
@ -19,10 +19,11 @@ relevantTechniques:
  - T1003
 query: |
  Event
-  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
+  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
  | parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 
-  | where TargetObject=="HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
+  | where TargetObject=~"HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer,  TargetObject, Details
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: RegistryKey
    fieldMappings:
@ -30,7 +31,9 @@ entityMappings:
        columnName: TargetObject
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: Computer
-version: 1.0.0
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
+version: 1.0.1
 kind: Scheduled
--- a/Rules/WindowsBinariesLolbinsRenamed.yaml
+++ b/Rules/WindowsBinariesLolbinsRenamed.yaml
@ -20,11 +20,12 @@ relevantTechniques:
 query: |
  let procList = externaldata(Process:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv"] with (format="csv", ignoreFirstRecord=True);
  Event
-  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==1
+  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1
  | parse EventData with * 'Image">' Image "<" * 'OriginalFileName">' OriginalFileName "<" *
  | where OriginalFileName has_any (procList) and not (Image has_any (procList))
  | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Description">' Description "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes
+  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
 entityMappings:
  - entityType: Process
    fieldMappings:
@ -32,11 +33,13 @@ entityMappings:
        columnName: CommandLine
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
-        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
  - entityType: Account
    fieldMappings: 
-      - identifier: FullName
+      - identifier: Name
        columnName: User
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled