converting more process content

2021-06-09 18:13:53 +03:00 · 2021-06-09 18:13:53 +03:00 · 3db7a350ff
--- a/Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml
+++ b/Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml
@ -0,0 +1,43 @@
+id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513
+name: Host Exporting Mailbox and Removing Export (Normalized Process)
+description: |
+  'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
+  that same host removing the export within a short time window. This pattern has been observed by attackers 
+  when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for
+  activity from unexpected hosts and accounts.
+  Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'
+requiredDataConnectors: []
+tactics:
+  - Collection
+relevantTechniques:
+  - T1114
+tags:
+  - Solorigate
+  - NOBELIUM
+query: |
+
+      // Adjust the timeframe to change the window events need to occur within to alert
+      let timeframe = 1h;
+      imProcess
+      | where TargetProcessFileName in~ ("powershell.exe", "cmd.exe")
+      | where TargetProcessCommandLine contains 'New-MailboxExportRequest'
+      | summarize by DvcHostName, timekey = bin(TimeGenerated, timeframe), TargetProcessCommandLine, ActorUserName
+      | join kind=inner (imProcess
+      | where EventID == 4688
+      | where TargetProcessFileName in~ ("powershell.exe", "cmd.exe")
+      | where TargetProcessCommandLine contains 'Remove-MailboxExportRequest'
+      | summarize by DvcHostName, timekey = bin(TimeGenerated, timeframe), TargetProcessCommandLine, ActorUserName) on DvcHostName, timekey, ActorUserName
+      | extend commands = TargetProcessCommandLine
+      | summarize by timekey, DvcHostName, tostring(commands), ActorUserName
+      | project-reorder timekey, DvcHostName, ActorUserName, ['commands']
+      | extend HostCustomEntity = DvcHostName, AccountCustomEntity = ActorUserName
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
--- a/Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml
+++ b/Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml
@ -0,0 +1,30 @@
+id: 87c1f90a-f868-4528-a9c1-15520249cae6
+name: Nishang Reverse TCP Shell in Base64 (Normalized Process)
+description: |
+  'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
+  Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
+requiredDataConnectors: []
+tactics:
+  - Exfiltration
+relevantTechniques:
+  - T1011
+query: |
+  imProcess
+  | where TargetProcessFileName in("powershell.exe","powershell_ise.exe") and TargetProcessCommandLine contains "-e" 
+  | mvexpand SS = split(TargetProcessCommandLine, " ") 
+  | where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}" 
+  | extend DecodeString = base64_decode_tostring(tostring(SS)) 
+  | extend FinalString = replace("\\0", "", DecodeString) 
+  | where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex") 
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = DvcHostName
+
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity