diff --git a/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml b/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml index e756b7a8ab..fc2d714f1e 100644 --- a/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml +++ b/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml @@ -19,10 +19,10 @@ relevantTechniques: - T1021 query: | // Look for command lines observed used by the threat actor - let cmd_lines = dynamic(['cmd.exe /c "wmic /node:redacted process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat" ', 'regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']); + let cmd_lines = dynamic(['cmd.exe /c "wmic /node:redacted process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";', 'regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']); imProcess // Look for static cmd lines and dynamic one using regex - | where CommandLine has_any (cmd_lines) or CommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or CommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat" ' + | where CommandLine has_any (cmd_lines) or CommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or CommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";' | summarize count(), FirstSeen=min(TimeGenerated), LastSeen = max(TimeGenerated) by DvcId, Dvc, CommandLine, AccountName, FilePath // Base risk score on number of command lines seen for each host | extend RiskScore = count_ diff --git a/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml b/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml index f146c789fd..d268fa1e64 100644 --- a/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml +++ b/Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml @@ -16,7 +16,7 @@ tactics: - LateralMovement - CommandAndControl relevantTechniques: - - T1078 + - T1078 - T1219 - T1021 query: | @@ -24,7 +24,7 @@ query: | let cmd_lines = dynamic(['regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']); DeviceProcessEvents // Look for static cmd lines and dynamic one using regex - | where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat" ' or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat" ' + | where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";' or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";' | summarize count(), FirstSeen=min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid, SHA256 // Base risk score on number of command lines seen for each host | extend RiskScore = count_