Merge pull request #1881 from Azure/pebryan/2021-3-5_HAFNIUM2

MTPQueries&IOCPlaceholder
2021-03-05 15:50:58 -08:00 · 2021-03-05 15:50:58 -08:00 · 90dd26f479
--- a/Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml
+++ b/Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml
@ -0,0 +1,32 @@
+id: 87c1f90a-f868-4528-a9c1-15520249cae6
+name: Nishang Reverse TCP Shell in Base64
+description: |
+  'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
+  Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Exfiltration
+relevantTechniques:
+  - T1011
+query: |
+  SecurityEvent
+  | where EventID == 4688
+  | where Process in("powershell.exe","powershell_ise.exe") and CommandLine contains "-e" 
+  | mvexpand SS = split(CommandLine, " ") 
+  | where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}" 
+  | extend DecodeString = base64_decodestring(tostring(SS)) 
+  | extend FinalString = replace("\\0", "", DecodeString) 
+  | where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex") 
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
--- a/Queries/SecurityEvent/PowerCatDownload.yaml
+++ b/Queries/SecurityEvent/PowerCatDownload.yaml
@ -14,7 +14,7 @@ query: |
  SecurityEvent
  | where EventID == 4688
  | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
-  | where CommandLine has "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1"
+  | where CommandLine hassuffix "powercat.ps1"
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
 entityMappings:
  - entityType: Account
--- a/Queries/SecurityEvent/ProcdumpofLsass.yaml
+++ b/Queries/SecurityEvent/ProcdumpofLsass.yaml
@ -0,0 +1,25 @@
+id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
+name: Procdump of LSASS memory
+description: |
+  'Look for evidence of Procdump being used to dump LSASS process. Often used by attackers to access credentials stored on a system.'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1003
+query: |
+  SecurityEvent 
+  | where (Process has_any ("procdump.exe", "procdump64.exe") and CommandLine has "lsass")
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
--- a/Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilities-March2021.csv
+++ b/Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilities-March2021.csv
@ -0,0 +1 @@
+DateAdded,IoC,Type,TLP,Release