From 76319e27fa4bb530e2ecc8d428055a84043ddc3d Mon Sep 17 00:00:00 2001 From: "Shain Wray (MSTIC)" Date: Mon, 15 Mar 2021 09:54:45 -0700 Subject: [PATCH] Removing dupes --- .../HAFNIUMSuspiciousIMServiceError.yaml | 28 ------------ .../HAFNIUMSuspiciousRequestPattern.yaml | 44 ------------------- 2 files changed, 72 deletions(-) delete mode 100644 Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml delete mode 100644 Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yaml diff --git a/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml b/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml deleted file mode 100644 index 9100b53370..0000000000 --- a/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: 0625fcce-6d52-491e-8c68-1d9b801d25b9 -name: HAFNIUM Suspicious UM Service Error -description: | - 'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. - Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' -severity: Low -requiredDataConnectors: [] -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - InitialAccess -relevantTechniques: - - T1190 -query: | - Event - | where EventLog =~ "Application" - | where Source startswith "MSExchange" - | where EventLevelName =~ "error" - | where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service" - | where RenderedDescription !contains "System.OutOfMemoryException" - | extend timestamp = TimeGenerated, HostCustomEntity = Computer -entityMappings: - - entityType: Host - fieldMappings: - - identifier: FullName - columnName: HostCustomEntity diff --git a/Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yaml b/Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yaml deleted file mode 100644 index f79fb59686..0000000000 --- a/Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: 23005e87-2d3a-482b-b03d-edbebd1ae151 -name: HAFNIUM Suspicious Exchange Request -description: | - 'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors. - The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers. - Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' -severity: Medium -requiredDataConnectors: - - connectorId: AzureMonitor(IIS) - dataTypes: - - W3CIISLog -queryFrequency: 1d -queryPeriod: 14d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - InitialAccess -relevantTechniques: - - T1190 -query: | - let exchange_servers = ( - W3CIISLog - | where TimeGenerated > ago(14d) - | where sSiteName =~ "Exchange Back End" - | summarize by Computer); - W3CIISLog - | where TimeGenerated > ago(1d) - | where Computer in (exchange_servers) - | where csUriQuery startswith "t=" - | project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP - | extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: Host - fieldMappings: - - identifier: FullName - columnName: HostCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity