Update InsecureProtocols.json
Updated LegacyAuth Queries
This commit is contained in:
Brian Delaney
GitHub
Родитель
2373d2c907
Коммит
8a981480d2
|
|
@ -219,7 +219,7 @@
|
|||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft <br>\r\n\t\r\n\tVersion v1.8\r\n\tAdded Vulnerable Netlogon Secure Channel\r\n\tAdded Legacy Authentication to Summary\r\n\tFixed reporting of Weak Kerberos Cipher in summary\r\n\t\r\n\t\r\n\tVersion v1.7\r\n\tAdded Tabs\r\n\tFixed a bug\r\n\tAdded Timebrushing and Groupings\r\n\tAdded Help sections",
|
||||
"json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft <br>\r\n\t\r\n\tVersion v1.9\r\n\tUpdated AAD Legacy Auth (Exchange ActiveSync)\r\n\r\n\tVersion v1.8\r\n\tAdded Vulnerable Netlogon Secure Channel\r\n\tAdded Legacy Authentication to Summary\r\n\tFixed reporting of Weak Kerberos Cipher in summary\r\n\t\r\n\t\r\n\tVersion v1.7\r\n\tAdded Tabs\r\n\tFixed a bug\r\n\tAdded Timebrushing and Groupings\r\n\tAdded Help sections",
|
||||
"style": "info"
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
|
|
@ -255,7 +255,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
|
||||
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
|
||||
"size": 0,
|
||||
"title": "Summary of Insecure Protocols: {TimeRange:label}",
|
||||
"timeContext": {
|
||||
|
|
@ -298,7 +298,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count, TimeGenerated\r\n| union legacyAuth\r\n| where Protocol =~ \"{SelectedProtocol}\" or \"{SelectedProtocol}\" =~ \"All\"\r\n| sort by Count desc\r\n",
|
||||
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count, TimeGenerated\r\n| union legacyAuth\r\n| where Protocol =~ \"{SelectedProtocol}\" or \"{SelectedProtocol}\" =~ \"All\"\r\n| sort by Count desc\r\n",
|
||||
"size": 0,
|
||||
"title": "Summary of Insecure Protocols: {TimeRange:label}",
|
||||
"timeContext": {
|
||||
|
|
@ -338,7 +338,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| summarize FirstOccurance=min(FirstOccurance), LastOccurance=max(LastOccurance), Count=sum(Count) by Protocol\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
|
||||
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| summarize FirstOccurance=min(FirstOccurance), LastOccurance=max(LastOccurance), Count=sum(Count) by Protocol\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
|
||||
"size": 1,
|
||||
"title": "Summary of Insecure Protobols found in: {TimeRange:label}",
|
||||
"timeContext": {
|
||||
|
|
@ -2161,7 +2161,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize Count=count() by UserPrincipalName, ClientAppUsed //doughnut\r\n| order by Count desc",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, ClientAppUsed //doughnut\r\n| order by Count desc",
|
||||
"size": 0,
|
||||
"title": "Legacy authentications, by account",
|
||||
"timeContext": {
|
||||
|
|
@ -2205,7 +2205,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize Count=count() by IPAddress,ClientAppUsed //doughnut\r\n| order by Count desc",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress,ClientAppUsed //doughnut\r\n| order by Count desc",
|
||||
"size": 0,
|
||||
"title": "Legacy authentications, by IP address",
|
||||
"timeContext": {
|
||||
|
|
@ -2245,7 +2245,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
|
||||
"size": 1,
|
||||
"title": "Account events over time - select timebrush",
|
||||
"timeContext": {
|
||||
|
|
@ -2319,7 +2319,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize Count=count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by Count\r\n",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by Count\r\n",
|
||||
"size": 1,
|
||||
"title": "Account events over time ({AADTimebrushAccount:label})",
|
||||
"timeContext": {
|
||||
|
|
@ -2361,7 +2361,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
|
||||
"size": 1,
|
||||
"title": "IPAddresses over time - select timebrush",
|
||||
"timeContext": {
|
||||
|
|
@ -2435,7 +2435,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize Count=count() by IPAddress\r\n| order by Count\r\n",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress\r\n| order by Count\r\n",
|
||||
"size": 1,
|
||||
"title": "IP events over time ({AADTimebrushIPAddress:label})",
|
||||
"timeContext": {
|
||||
|
|
@ -2483,7 +2483,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize count() by ClientAppUsed, UserPrincipalName //bar",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by ClientAppUsed, UserPrincipalName //bar",
|
||||
"size": 0,
|
||||
"title": "Legacy authentications, by authentication type",
|
||||
"timeContext": {
|
||||
|
|
@ -2555,7 +2555,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| summarize count() by tostring(CountryOrRegion=LocationDetails.countryOrRegion), ClientAppUsed //bar\r\n| order by count_\r\n",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by tostring(CountryOrRegion=LocationDetails.countryOrRegion), ClientAppUsed //bar\r\n| order by count_\r\n",
|
||||
"size": 0,
|
||||
"title": "Legacy authentications, by country/region",
|
||||
"timeContext": {
|
||||
|
|
@ -2628,7 +2628,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\" and ClientAppUsed !contains \"Exchange ActiveSync\"\r\n| extend mergeCountry = toupper(LocationDetails.countryOrRegion)\r\n| summarize IPaddress = make_set(IPAddress), Count=count() by UserPrincipalName, ClientAppUsed, tostring(CountryOrRegion=mergeCountry) //table\r\n| order by Count desc",
|
||||
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| extend mergeCountry = toupper(LocationDetails.countryOrRegion)\r\n| summarize IPaddress = make_set(IPAddress), Count=count() by UserPrincipalName, ClientAppUsed, tostring(CountryOrRegion=mergeCountry) //table\r\n| order by Count desc",
|
||||
"size": 0,
|
||||
"title": "Legacy authentications details",
|
||||
"timeContext": {
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче