Updating the query
This commit is contained in:
Ajeet Prakash (MSTIC)
Родитель
c5dbae756c
Коммит
93e5695871
|
|
@ -19,10 +19,10 @@ relevantTechniques:
|
|||
- T1021
|
||||
query: |
|
||||
// Look for command lines observed used by the threat actor
|
||||
let cmd_lines = dynamic(['cmd.exe /c "wmic /node:redacted process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat"
', 'regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']);
|
||||
let cmd_lines = dynamic(['cmd.exe /c "wmic /node:redacted process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";', 'regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']);
|
||||
imProcess
|
||||
// Look for static cmd lines and dynamic one using regex
|
||||
| where CommandLine has_any (cmd_lines) or CommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or CommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat"
'
|
||||
| where CommandLine has_any (cmd_lines) or CommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or CommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";'
|
||||
| summarize count(), FirstSeen=min(TimeGenerated), LastSeen = max(TimeGenerated) by DvcId, Dvc, CommandLine, AccountName, FilePath
|
||||
// Base risk score on number of command lines seen for each host
|
||||
| extend RiskScore = count_
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ query: |
|
|||
let cmd_lines = dynamic(['regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']);
|
||||
DeviceProcessEvents
|
||||
// Look for static cmd lines and dynamic one using regex
|
||||
| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat"
' or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat"
'
|
||||
| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";' or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or InitiatingProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or ProcessCommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";'
|
||||
| summarize count(), FirstSeen=min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid, SHA256
|
||||
// Base risk score on number of command lines seen for each host
|
||||
| extend RiskScore = count_
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче