Merge pull request #2192 from TestLeper/patch-1
Create AdFind_Usage.yaml
This commit is contained in:
Коммит
411c37514f
|
@ -0,0 +1,49 @@
|
|||
id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd
|
||||
name: Probable AdFind Recon Tool Usage
|
||||
description: |
|
||||
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.'
|
||||
severity: High
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
dataTypes:
|
||||
- DeviceProcessEvents
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Discovery
|
||||
relevantTechniques:
|
||||
- T1018
|
||||
query: |
|
||||
|
||||
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
|
||||
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
|
||||
DeviceProcessEvents
|
||||
//looks for execution from a shell
|
||||
| where InitiatingProcessFileName in (parentProcesses)
|
||||
// main filter
|
||||
| where FileName =~ "AdFind.exe" or SHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
|
||||
// AdFind common Flags to check for from various threat actor TTPs
|
||||
or ProcessCommandLine has_any (args)
|
||||
| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: HostCustomEntity
|
||||
- entityType: Process
|
||||
fieldMappings:
|
||||
- identifier: ProcessId
|
||||
columnName: ProcessCustomEntity
|
||||
- entityType: FileHash
|
||||
fieldMappings:
|
||||
- identifier: Algorithm
|
||||
columnName: SHA256
|
||||
- identifier: Value
|
||||
columnName: FileHashCustomEntity
|
Загрузка…
Ссылка в новой задаче