Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Repackage Endpoint Threat Protection Essentials

This commit is contained in:
v-atulyadav 2023-03-16 16:29:04 +05:30
Родитель fa26ca8045
Коммит 45eafd75be
4 изменённых файлов: 134 добавлений и 114 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
Solutions/Endpoint Threat Protection Essentials/Data/Solution_EndpointThreatProtectionEssentials.json
Просмотреть файл

@ -31,8 +31,8 @@
"Analytic Rules/WindowsBinariesLolbinsRenamed.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Endpoint Threat Protection Essentials",
"Version": "2.0.0",
"Version": "2.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"TemplateSpec": true,
"Is1PConnector": true
}

Двоичные данные
Solutions/Endpoint Threat Protection Essentials/Package/2.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

24
Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json
Просмотреть файл

@ -212,7 +212,7 @@
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks for event id 1102 which indicates the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance."
"text": "Checks for event id 1102 which indicates the security event log was cleared.\nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance."
}
}
]
@ -292,7 +292,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query will help detect attempts to delete backup. Though such an activity could be legitimate as part of regular business operations, often ransomwares also perform such actions so that once the files are encrypted by them, backups cannot be used to restore encrypted files and thus cause interruption to regular business services. It depends on the MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector and SecurityAlert (MDATP) DeviceProcessEvents SecurityEvent WindowsEvent data type and MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents parser."
"text": "This hunting query will help detect attempts to delete backup. Though such an activity could be legitimate as part of regular business operations, often ransomwares also perform such actions so that once the files are encrypted by them, backups cannot be used to restore encrypted files and thus cause interruption to regular business services. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector (SecurityAlert (MDATP) DeviceProcessEvents SecurityEvent WindowsEvent Parser or Table)"
}
}
]
@ -306,7 +306,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection uses Sysmon telemetry to hunt Certutil activities It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
"text": "This detection uses Sysmon telemetry to hunt Certutil activities This hunting query depends on SecurityEvents data connector (SecurityEvent Parser or Table)"
}
}
]
@ -320,7 +320,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.). \nNormally files that are executed have more characters in the name and this can indicate a malicious file.\nRef: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
"text": "This query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.). \nNormally files that are executed have more characters in the name and this can indicate a malicious file.\nRef: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents This hunting query depends on SecurityEvents data connector (SecurityEvent Parser or Table)"
}
}
]
@ -334,7 +334,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects instances where IFEO registry keys were created and deleted frequently within a short period of time. It depends on the SecurityEvents WindowsSecurityEvents WindowsForwardedEvents data connector and SecurityEvent SecurityEvents WindowsEvent data type and SecurityEvents WindowsSecurityEvents WindowsForwardedEvents parser."
"text": "This query detects instances where IFEO registry keys were created and deleted frequently within a short period of time. This hunting query depends on SecurityEvents WindowsSecurityEvents WindowsForwardedEvents data connector (SecurityEvent SecurityEvents WindowsEvent Parser or Table)"
}
}
]
@ -348,7 +348,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies potential tampering related to Microsoft security related products and services. It depends on the SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector and SecurityEvent DeviceProcessEvents SecurityEvents WindowsEvent data type and SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents parser."
"text": "Identifies potential tampering related to Microsoft security related products and services. This hunting query depends on SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector (SecurityEvent DeviceProcessEvents SecurityEvents WindowsEvent Parser or Table)"
}
}
]
@ -362,7 +362,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "It detects authentication attempts performed with WMI. Adversaries may abuse WMI to execute malicious commands and payloads.\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
"text": "It detects authentication attempts performed with WMI. Adversaries may abuse WMI to execute malicious commands and payloads.\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling This hunting query depends on SecurityEvents data connector (SecurityEvent Parser or Table)"
}
}
]
@ -376,7 +376,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects a scheduled task, created/updated remotely, using the ATSVC name pipe. \nThreat actors are using scheduled tasks for establishing persistence and moving laterally through the network.\nRef: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
"text": "This query detects a scheduled task, created/updated remotely, using the ATSVC name pipe. \nThreat actors are using scheduled tasks for establishing persistence and moving laterally through the network.\nRef: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html This hunting query depends on SecurityEvents data connector (SecurityEvent Parser or Table)"
}
}
]
@ -390,7 +390,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths.\nRef: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
"text": "This query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths.\nRef: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html This hunting query depends on SecurityEvents data connector (SecurityEvent Parser or Table)"
}
}
]
@ -404,7 +404,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
"text": "This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities This hunting query depends on SecurityEvents data connector (SecurityEvent Parser or Table)"
}
}
]
@ -418,7 +418,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The query looks for Command Lines that contain non ASCII characaters. Insertion of these characters could be used to evade detections.\nCommand lines should be reviewed to determine whether inclusion of non ASCII characters was deliberate or not.\nRef: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation It depends on the SecurityEvents MicrosoftThreatProtection data connector and SecurityEvents DeviceProcessEvents data type and SecurityEvents MicrosoftThreatProtection parser."
"text": "The query looks for Command Lines that contain non ASCII characaters. Insertion of these characters could be used to evade detections.\nCommand lines should be reviewed to determine whether inclusion of non ASCII characters was deliberate or not.\nRef: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation This hunting query depends on SecurityEvents MicrosoftThreatProtection data connector (SecurityEvents DeviceProcessEvents Parser or Table)"
}
}
]
@ -432,4 +432,4 @@
"workspace": "[basics('workspace')]"
}
}
}
}

220
Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json
Просмотреть файл

@ -85,7 +85,7 @@
"_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
"huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
"huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]",
"analyticRuleVersion1": "1.1.1",
"analyticRuleVersion1": "1.1.2",
"analyticRulecontentId1": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
@ -110,7 +110,7 @@
"_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
"analyticRuleVersion6": "1.1.1",
"analyticRuleVersion6": "1.1.2",
"analyticRulecontentId6": "75bf9902-0789-47c1-a5d8-f57046aa72df",
"_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
@ -130,7 +130,7 @@
"_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
"analyticRuleVersion10": "1.1.1",
"analyticRuleVersion10": "1.1.2",
"analyticRulecontentId10": "80da0a8f-cfe1-4cd0-a895-8bc1771a720e",
"_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
@ -179,7 +179,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
],
"properties": {
"description": "BackupDeletion_HuntingQueries Hunting Query with template version 2.0.0",
"description": "BackupDeletion_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion1')]",
@ -271,7 +271,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
],
"properties": {
"description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 2.0.0",
"description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion2')]",
@ -363,7 +363,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
],
"properties": {
"description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 2.0.0",
"description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion3')]",
@ -455,7 +455,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
],
"properties": {
"description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 2.0.0",
"description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion4')]",
@ -547,7 +547,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
],
"properties": {
"description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 2.0.0",
"description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion5')]",
@ -639,7 +639,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
],
"properties": {
"description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 2.0.0",
"description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion6')]",
@ -731,7 +731,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
],
"properties": {
"description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 2.0.0",
"description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion7')]",
@ -823,7 +823,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
],
"properties": {
"description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 2.0.0",
"description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion8')]",
@ -915,7 +915,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]"
],
"properties": {
"description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 2.0.0",
"description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion9')]",
@ -1007,7 +1007,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]"
],
"properties": {
"description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 2.0.0",
"description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion10')]",
@ -1023,7 +1023,7 @@
"eTag": "*",
"displayName": "Unicode Obfuscation in Command Line",
"category": "Hunting Queries",
"query": "let lolbins = dynamic([\"cmd.exe\", \"powershell.exe\", \"find.exe\", \"PowerShell_ISE.exe\", \"wmic.exe\", \"winrs.exe\", \"winrm.cmd\", \"whoami.exe\", \"wevtutil.exe\", \"vssadmin.exe\", \"vbc.exe\", \"tasklist.exe\", \"takeown.exe\", \"taskkill.exe\", \"systeminfo.exe\", \"schtasks.exe\", \"sc.exe\", \"route.exe\", \"robocopy.cmd\", \"regsrv32.exe\", \"ping.exe\", \"nslookup.exe\", \"netstat.exe\", \"netsh.exe\", \"net.exe\", \"msiexec.exe\", \"mpcmdrun.exe\", \"jsc.exe\", \"ipconfig.exe\", \"icals.exe\", \"forfiles.exe\", \"fltmc.exe\", \"findstr.exe\", \"curl.exe\", \"csc.exe\", \"cmstp.exe\", \"cmdkey.exe\", \"certutils.exe\", \"cacls.exe\", \"bitsadmin.exe\", \"at.exe\", \"arp.exe\"]);\n(union isfuzzy=true\n(SecurityEvent\n| where Process in~ (lolbins)\n| where isnotempty(CommandLine)\n| extend CommandLine = translate('–”“', '-\"\"', CommandLine)\n| extend ASCII = isascii(CommandLine)\n| where ASCII == false),\n(DeviceProcessEvents\n| where isnotempty(InitiatingProcessCommandLine)\n| extend CommandLine = translate('–”“', '-\"\"', InitiatingProcessCommandLine)\n| extend ASCII = isascii(CommandLine)\n| where ASCII == false\n| extend Account = AccountName, Computer = DeviceName),\n(imProcessCreate\n| where isnotempty(ActingProcessCommandLine)\n| extend CommandLine = translate('–”“', '-\"\"', ActingProcessCommandLine)\n| extend ASCII = isascii(CommandLine)\n| where ASCII == false\n| extend Account = ActorUsername, Computer = DvcHostname))\n| summarize Computers=make_set(Computer), Users=make_set(Account), NumberOfTimesRun = count(TimeGenerated), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine\n| extend NumberOfComputers = array_length(Computers), NumberOfUsers = array_length(Users)\n| project-reorder FirstSeen, LastSeen, CommandLine, Process, NumberOfComputers, NumberOfComputers, NumberOfTimesRun, Computers, Users\n| extend timestamp = FirstSeen\n",
"query": "let lolbins = dynamic([\"cmd.exe\", \"powershell.exe\", \"find.exe\", \"PowerShell_ISE.exe\", \"wmic.exe\", \"winrs.exe\", \"winrm.cmd\", \"whoami.exe\", \"wevtutil.exe\", \"vssadmin.exe\", \"vbc.exe\", \"tasklist.exe\", \"takeown.exe\", \"taskkill.exe\", \"systeminfo.exe\", \"schtasks.exe\", \"sc.exe\", \"route.exe\", \"robocopy.cmd\", \"regsrv32.exe\", \"ping.exe\", \"nslookup.exe\", \"netstat.exe\", \"netsh.exe\", \"net.exe\", \"msiexec.exe\", \"mpcmdrun.exe\", \"jsc.exe\", \"ipconfig.exe\", \"icals.exe\", \"forfiles.exe\", \"fltmc.exe\", \"findstr.exe\", \"curl.exe\", \"csc.exe\", \"cmstp.exe\", \"cmdkey.exe\", \"certutils.exe\", \"cacls.exe\", \"bitsadmin.exe\", \"at.exe\", \"arp.exe\"]);\n(union isfuzzy=true\n(SecurityEvent\n| where Process in~ (lolbins)\n| where isnotempty(CommandLine)\n| extend CommandLine = translate('–”“', '-\"\"', CommandLine)\n| extend ASCII = isascii(CommandLine)\n| where ASCII == false),\n(DeviceProcessEvents\n| where isnotempty(InitiatingProcessCommandLine)\n| extend CommandLine = translate('–”“', '-\"\"', InitiatingProcessCommandLine)\n| extend ASCII = isascii(CommandLine)\n| where ASCII == false\n| extend Account = AccountName, Computer = DeviceName),\n(imProcessCreate\n| where isnotempty(ActingProcessCommandLine)\n| extend CommandLine = translate('–”“', '-\"\"', ActingProcessCommandLine)\n| extend ASCII = isascii(CommandLine)\n| where ASCII == false\n| extend Account = ActorUsername, Computer = DvcHostname))\n| summarize Computers=make_set(Computer), Users=make_set(Account), NumberOfTimesRun = dcount(TimeGenerated), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine\n| extend NumberOfComputers = array_length(Computers), NumberOfUsers = array_length(Users)\n| project-reorder FirstSeen, LastSeen, CommandLine, Process, NumberOfComputers, NumberOfTimesRun, Computers, Users\n| extend timestamp = FirstSeen\n",
"version": 2,
"tags": [
{
@ -1099,7 +1099,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@ -1116,7 +1116,7 @@
"description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.",
"displayName": "Base64 encoded Windows process command-lines",
"enabled": false,
"query": "\n\nlet ProcessCreationEvents=() {\nlet processEvents=(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName\n),\n(WindowsEvent\n| where EventID==4688\n| where EventData has \"TVqQAAMAAAAEAAA\"\n| extend CommandLine = tostring(EventData.CommandLine)\n| where isnotempty(CommandLine)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName));\nprocessEvents};\nProcessCreationEvents\n| where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
"query": "let ProcessCreationEvents=() {\nlet processEvents=(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName\n),\n(WindowsEvent\n| where EventID==4688\n| where EventData has \"TVqQAAMAAAAEAAA\"\n| extend CommandLine = tostring(EventData.CommandLine)\n| where isnotempty(CommandLine)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName));\nprocessEvents};\nProcessCreationEvents\n| where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
@ -1127,34 +1127,39 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
]
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
"Execution",
"DefenseEvasion"
],
"techniques": [
"T1059",
"T1027",
"T1140"
],
"entityMappings": [
{
"entityType": "Account",
@ -1235,7 +1240,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@ -1263,15 +1268,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1003"
],
"entityMappings": [
{
"entityType": "Host",
@ -1352,7 +1360,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
],
"properties": {
"description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@ -1380,34 +1388,39 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
]
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
"Execution",
"DefenseEvasion"
],
"techniques": [
"T1059",
"T1027",
"T1140"
],
"entityMappings": [
{
"entityType": "Account",
@ -1488,7 +1501,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
],
"properties": {
"description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@ -1516,15 +1529,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"LateralMovement"
],
"techniques": [
"T1021"
],
"entityMappings": [
{
"entityType": "Process",
@ -1614,7 +1630,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
],
"properties": {
"description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@ -1642,15 +1658,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"LateralMovement"
],
"techniques": [
"T1021"
],
"entityMappings": [
{
"entityType": "Process",
@ -1740,7 +1759,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
],
"properties": {
"description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@ -1757,7 +1776,7 @@
"description": "The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \n The list of these binaries are sourced from https://lolbas-project.github.io/\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.",
"displayName": "Malware in the recycle bin",
"enabled": false,
"query": "let procList = externaldata(Process:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet ProcessCreationEvents=() {\nlet processEvents=(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName\n),\n(WindowsEvent\n| where EventID==4688 and EventData has_any (procList) and EventData has \":\\\\recycler\"\n| extend CommandLine = tostring(EventData.CommandLine)\n| where isnotempty(CommandLine)\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \n| extend NewProcessName = tostring(EventData.NewProcessName) \n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName\n));\nprocessEvents};\nProcessCreationEvents \n| where FileName in~ (procList)\n| where CommandLine contains \":\\\\recycler\"\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
"query": "let procList = externaldata(Process:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet recycle_bin_paths = dynamic([@\":\\RECYCLER\", @\":\\$RECYCLE.BIN\"]);\nlet ProcessCreationEvents=() {\nlet processEvents=(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName\n),\n(WindowsEvent\n| where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)\n| extend CommandLine = tostring(EventData.CommandLine)\n| where isnotempty(CommandLine)\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \n| extend NewProcessName = tostring(EventData.NewProcessName) \n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName\n));\nprocessEvents};\nProcessCreationEvents \n| where FileName in~ (procList)\n| where CommandLine has_any (recycle_bin_paths)\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
@ -1768,28 +1787,28 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
]
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
@ -1875,7 +1894,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
],
"properties": {
"description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion7')]",
@ -1903,15 +1922,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1572"
],
"entityMappings": [
{
"entityType": "Account",
@ -2001,7 +2023,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
],
"properties": {
"description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion8')]",
@ -2029,15 +2051,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"entityMappings": [
{
"entityType": "RegistryKey",
@ -2118,7 +2143,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
],
"properties": {
"description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion9')]",
@ -2146,15 +2171,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"entityMappings": [
{
"entityType": "RegistryKey",
@ -2235,7 +2263,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
],
"properties": {
"description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion10')]",
@ -2249,10 +2277,10 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks for event id 1102 which indicates the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance.",
"description": "Checks for event id 1102 which indicates the security event log was cleared.\nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance.",
"displayName": "Security Event log cleared",
"enabled": false,
"query": "\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nWindowsEvent\n| where EventID == 1102 and Provider == \"Microsoft-Windows-Eventlog\" \n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| extend Activity= \"1102 - The audit log was cleared.\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n)\n)\n",
"query": "(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nWindowsEvent\n| where EventID == 1102 and Provider == \"Microsoft-Windows-Eventlog\"\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| extend Activity= \"1102 - The audit log was cleared.\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n)\n)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
@ -2263,27 +2291,30 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "WindowsSecurityEvents"
},
{
"connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
]
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1070"
],
"entityMappings": [
{
"entityType": "Account",
@ -2364,7 +2395,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName11'))]"
],
"properties": {
"description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion11')]",
@ -2392,15 +2423,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1003"
],
"entityMappings": [
{
"entityType": "RegistryKey",
@ -2481,7 +2515,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName12'))]"
],
"properties": {
"description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion12')]",
@ -2509,15 +2543,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"Execution"
],
"techniques": [
"T1059"
],
"entityMappings": [
{
"entityType": "Account",
@ -2607,7 +2644,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName13'))]"
],
"properties": {
"description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 2.0.0",
"description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion13')]",
@ -2635,15 +2672,18 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"Execution"
],
"techniques": [
"T1059"
],
"entityMappings": [
{
"entityType": "Process",
@ -2711,7 +2751,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"version": "2.0.1",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
@ -2848,26 +2888,6 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId13')]",
"version": "[variables('analyticRuleVersion13')]"
},
{
"criteria": [
{
"contentId": "azuresentinel.azure-sentinel-solution-securityevents",
"kind": "Solution",
"version": "2.0.1"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender",
"kind": "Solution",
"version": "2.0.0"
},
{
"contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents",
"kind": "Solution",
"version": "2.0.0"
}
],
"Operator": "OR"
}
]
},