Updated queries as per suggestions from Shain.

2022-04-05 11:01:50 -07:00 · 2022-04-05 11:01:50 -07:00 · 7683f1f965
--- a/Detections/SecurityAlert/AVSpringShell.yaml
+++ b/Detections/SecurityAlert/AVSpringShell.yaml
@ -2,8 +2,8 @@ id: 3bd33158-3f0b-47e3-a50f-7c20a1b88038
 name: AV detections related to SpringShell Vulnerability
 description: |
  'This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, 
-   this query joins the DeviceInfo table to clearly connect other information such as Device group, ip,logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the alerts.
-   Refrence: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
+   this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.
+   Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
 severity: High
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
@ -22,15 +22,18 @@ tags:
  - SpringShell 
  - Spring4Shell
 query: |
-  let SpringShell_threats = dynamic(["SpringShell"]);
+  let SpringShell_threats = dynamic(["Trojan:Python/SpringShellExpl", "Exploit:Python/SpringShell", "Backdoor:PHP/Remoteshell.V", "SpringShell"]);
  DeviceInfo
  | extend DeviceName = tolower(DeviceName)
-  | join ( SecurityAlert
+  | join kind=inner ( SecurityAlert
  | where ProviderName == "MDATP"
+  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
  | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
-  | where ThreatFamilyName in (SpringShell_threats)
+  | where ThreatName in (SpringShell_threats) or ThreatFamilyName in (SpringShell_threats)
  | extend CompromisedEntity = tolower(CompromisedEntity)
  ) on $left.DeviceName == $right.CompromisedEntity
+  | extend timestamp = TimeGenerated, IPCustomEntity = PublicIP
+  | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
 entityMappings:
  - entityType: Host
    fieldMappings:
--- a/Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml
+++ b/Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml
@ -5,7 +5,7 @@ description: |
   The Spring Framework is one of the most widely used lightweight open-source framework for Java. To exploit the vulnerability attackers can  
   send a specially crafted query to a web server running the Spring Core framework to change the target of logging facility and create a new 
   malicious JSP file in a location accessible by http requests. Attackers then make requests to the malicious backdoor to run system commands.
-   Refrence: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
+   Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
 requiredDataConnectors:
  - connectorId: WAF
    dataTypes:
--- a/Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml
+++ b/Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml
@ -12,7 +12,7 @@ requiredDataConnectors:
 tactics:
  - Execution
 relevantTechniques:
-  - T1059
+  - T1059.007
 tags:
  - CVE-2022-22965
  - SpringShell