Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Solution package for Endpoint threat protection essentials

This commit is contained in:
v-sabiraj 2022-11-16 14:55:19 +05:30
Родитель 2b426901d3
Коммит 51dc96d453
4 изменённых файлов: 3356 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

38
Solutions/Endpoint Threat Protection Essentials/Data/Solution_EndpointThreatProtectionEssentials.json Normal file
Просмотреть файл

@ -0,0 +1,38 @@
{
"Name": "Endpoint Threat Protection Essentials",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The **Endpoint Threat Protection Essentials** solution provides content to monitor, detect and investigate threats related to windows machines. The solution looks for things like suspicious commandlines, PowerShell based attacks, LOLBins, registry manipulation, scheduled tasks etc. which are some of the most commonly used techniques by attackers when targeting endpoints. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) /n/n2. [ Microsoft 365 Defender](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender) \n\n3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)",
"Hunting Queries": [
"Hunting Queries/BackupDeletion.yaml",
"Hunting Queries/Certutil-LOLBins.yaml",
"Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml",
"Hunting Queries/PersistViaIFEORegistryKey.yaml",
"Hunting Queries/PotentialMicrosoftSecurityServicesTampering.yaml",
"Hunting Queries/RemoteLoginPerformedwithWMI.yaml",
"Hunting Queries/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml",
"Hunting Queries/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml",
"Hunting Queries/SignedBinaryProxyExecutionRundll32.yaml",
"Hunting Queries/UnicodeObfuscationInCommandLine.yaml"
],
"Analytic Rules": [
"Analytic Rules/base64_encoded_pefile.yaml",
"Analytic Rules/DumpingLSASSProcessIntoaFile.yaml",
"Analytic Rules/execute_base64_decodedpayload.yaml",
"Analytic Rules/LateralMovementViaDCOM.yaml",
"Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml",
"Analytic Rules/malware_in_recyclebin.yaml",
"Analytic Rules/PotentialRemoteDesktopTunneling.yaml",
"Analytic Rules/RegistryPersistenceViaAppCertDLLModification.yaml",
"Analytic Rules/RegistryPersistenceViaAppInt_DLLsModification.yaml",
"Analytic Rules/SecurityEventLogCleared.yaml",
"Analytic Rules/WDigestDowngradeAttack.yaml",
"Analytic Rules/WindowsBinariesExecutedfromNon-DefaultDirectory.yaml",
"Analytic Rules/WindowsBinariesLolbinsRenamed.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Endpoint Threat Protection Essentials",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true
}

435
Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,435 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Endpoint Threat Protection Essentials** solution provides content to monitor, detect and investigate threats related to windows machines. The solution looks for things like suspicious commandlines, PowerShell based attacks, LOLBins, registry manipulation, scheduled tasks etc. which are some of the most commonly used techniques by attackers when targeting endpoints. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) /n/n2. [ Microsoft 365 Defender](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender) \n\n3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\n\n**Analytic Rules:** 13, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Base64 encoded Windows process command-lines",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Dumping LSASS Process Into a File",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\nRef: https://attack.mitre.org/techniques/T1003/001/"
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Process executed from binary hidden in Base64 encoded file",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Encoding malicious software is a technique used to obfuscate files from detection. \nThe first CommandLine component is looking for Python decoding base64. \nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\nThe third one is looking for Ruby decoding base64."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Lateral Movement via DCOM",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Detecting Macro Invoking ShellBrowserWindow COM Objects",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html"
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Malware in the recycle bin",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \n The list of these binaries are sourced from https://lolbas-project.github.io/\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Potential Remote Desktop Tunneling",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling"
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Registry Persistence via AppCert DLL Modification",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\nRef: https://attack.mitre.org/techniques/T1546/009/"
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Registry Persistence via AppInit DLLs Modification",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\nRef: https://attack.mitre.org/techniques/T1546/010/"
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Security Event log cleared",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks for event id 1102 which indicates the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance."
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "WDigest downgrade attack",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753"
}
}
]
},
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "Windows Binaries Executed from Non-Default Directory",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\Windows\\, C:\\Windows\\System32 etc.). \nRef: https://lolbas-project.github.io/"
}
}
]
},
{
"name": "analytic13",
"type": "Microsoft.Common.Section",
"label": "Windows Binaries Lolbins Renamed",
"elements": [
{
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html"
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
"name": "huntingqueries-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Backup Deletion",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query will help detect attempts to delete backup. Though such an activity could be legitimate as part of regular business operations, often ransomwares also perform such actions so that once the files are encrypted by them, backups cannot be used to restore encrypted files and thus cause interruption to regular business services. It depends on the MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector and SecurityAlert (MDATP) DeviceProcessEvents SecurityEvent WindowsEvent data type and MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Certutil (LOLBins and LOLScripts)",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection uses Sysmon telemetry to hunt Certutil activities It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Execution of File with One Character in the Name",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.). \nNormally files that are executed have more characters in the name and this can indicate a malicious file.\nRef: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Persisting Via IFEO Registry Key",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects instances where IFEO registry keys were created and deleted frequently within a short period of time. It depends on the SecurityEvents WindowsSecurityEvents WindowsForwardedEvents data connector and SecurityEvent SecurityEvents WindowsEvent data type and SecurityEvents WindowsSecurityEvents WindowsForwardedEvents parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Potential Microsoft security services tampering",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies potential tampering related to Microsoft security related products and services. It depends on the SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector and SecurityEvent DeviceProcessEvents SecurityEvents WindowsEvent data type and SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "Remote Login Performed with WMI",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "It detects authentication attempts performed with WMI. Adversaries may abuse WMI to execute malicious commands and payloads.\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "Remote Scheduled Task Creation or Update using ATSVC Named Pipe",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects a scheduled task, created/updated remotely, using the ATSVC name pipe. \nThreat actors are using scheduled tasks for establishing persistence and moving laterally through the network.\nRef: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "Scheduled Task Creation or Update from User Writable Directory",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths.\nRef: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "Rundll32 (LOLBins and LOLScripts)",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities It depends on the SecurityEvents data connector and SecurityEvent data type and SecurityEvents parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "Unicode Obfuscation in Command Line",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The query looks for Command Lines that contain non ASCII characaters. Insertion of these characters could be used to evade detections.\nCommand lines should be reviewed to determine whether inclusion of non ASCII characters was deliberate or not.\nRef: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation It depends on the SecurityEvents MicrosoftThreatProtection data connector and SecurityEvents DeviceProcessEvents data type and SecurityEvents MicrosoftThreatProtection parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

2868
Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/Endpoint Threat Protection Essentials/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-endpointthreat",
"firstPublishDate": "2022-11-16",
"providers": ["Microsoft"],
"categories": {
"domains" : ["Security - Threat Protection"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}