From 9732f2ea751d4765a5fc55a58d9b0131b5f12ff3 Mon Sep 17 00:00:00 2001 From: Yaron Fruchtmann Date: Wed, 17 Feb 2021 17:38:01 +0200 Subject: [PATCH] Expansion based on MS WD App Con --- .../HostsAppConTriggered.yaml | 40 +++++++++++++++++++ .../UsersTriggeringAppCon.yaml | 39 ++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 Exploration Queries/InputEntity_Account/HostsAppConTriggered.yaml create mode 100644 Exploration Queries/InputEntity_Host/UsersTriggeringAppCon.yaml diff --git a/Exploration Queries/InputEntity_Account/HostsAppConTriggered.yaml b/Exploration Queries/InputEntity_Account/HostsAppConTriggered.yaml new file mode 100644 index 0000000000..b07c20cb81 --- /dev/null +++ b/Exploration Queries/InputEntity_Account/HostsAppConTriggered.yaml @@ -0,0 +1,40 @@ +Id: 160c7513-f704-46b7-adf9-d9c4176a44a3 +DisplayName: Hosts Microsoft Defender Application Control +Description: Locates Hosts where the Account triggered Microsoft Defender Application Control +InputEntityType: Account +InputFields: + - Name + UPNSuffix + - Sid +OutputEntityTypes: + - Host +QueryPeriodBefore: 12h +QueryPeriodAfter: 12h +DataSources: + - DeviceEvents +Tactics: + - Persistence + - Execution + +query: | + let AppControlEvents=(v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_Sid:string){ + let p_Account_UPN = iff(isnotempty(v_Account_Name) and isnotempty(v_Account_UPNSuffix), strcat(v_Account_Name,'@',v_Account_UPNSuffix), ""); + let AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string) + ["AppControlAppInstallationAudited", "Application control detected the installation of an untrusted app.","Untrusted app installed" + ,"AppControlAppInstallationBlocked", "Application control blocked the installation of an untrusted app.", "Untrusted app installation blocked" + ,"AppControlCodeIntegrityDriverRevoked", "Application control found a driver with a revoked certificate.", "Driver with revoked certificate detected" + ,"AppControlCodeIntegrityImageRevoked", "Application control found an executable file with a revoked certificate.", "Executable with revoked certificate detected" + ,"AppControlExecutableAudited","Application control detected the use of an untrusted executable.","Untrusted executable used" + ,"AppControlExecutableClocked","Application control blocked the use of an untrusted executable.","Untrusted executable blocked" + ,"AppControlScriptAudited", "Application control detected the use of an untrusted script.", "Untrusted script detected" + ,"AppControlScriptBlocked", "Application control blocked the use of an untrusted script.", "Untrusted script blocked" ]; + DeviceEvents + | where ActionType in (AppControls) + | where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn + or + isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid + | project Host_UnstucturedName = DeviceName + | summarize Host_Aux_AppConCount=count() by Host_UnstucturedName + | top 10 by Host_Aux_AppConCount desc nulls last + }; + AppControlEvents('','','') + diff --git a/Exploration Queries/InputEntity_Host/UsersTriggeringAppCon.yaml b/Exploration Queries/InputEntity_Host/UsersTriggeringAppCon.yaml new file mode 100644 index 0000000000..11697114b2 --- /dev/null +++ b/Exploration Queries/InputEntity_Host/UsersTriggeringAppCon.yaml @@ -0,0 +1,39 @@ +Id: b8de20fa-d96e-4fe0-84b3-8477ca29b04a +DisplayName: Accounts triggering Microsoft Defender Application Control +Description: Locates Accounts that triggered Microsoft Defender Application Control on the Host +InputEntityType: Host +InputFields: + - HostName + DnsDomain + - HostName + NTDomain +OutputEntityTypes: + - Account +QueryPeriodBefore: 12h +QueryPeriodAfter: 12h +DataSources: + - DeviceEvents +Tactics: + - Persistence + - Execution + +query: | + let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){ + let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,'.',v_Host_DnsDomain), strcat(v_Host_HostName,'.',v_Host_NTDomain)); + let AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string) + ["AppControlAppInstallationAudited", "Application control detected the installation of an untrusted app.","Untrusted app installed" + ,"AppControlAppInstallationBlocked", "Application control blocked the installation of an untrusted app.", "Untrusted app installation blocked" + ,"AppControlCodeIntegrityDriverRevoked", "Application control found a driver with a revoked certificate.", "Driver with revoked certificate detected" + ,"AppControlCodeIntegrityImageRevoked", "Application control found an executable file with a revoked certificate.", "Executable with revoked certificate detected" + ,"AppControlExecutableAudited","Application control detected the use of an untrusted executable.","Untrusted executable used" + ,"AppControlExecutableClocked","Application control blocked the use of an untrusted executable.","Untrusted executable blocked" + ,"AppControlScriptAudited", "Application control detected the use of an untrusted script.", "Untrusted script detected" + ,"AppControlScriptBlocked", "Application control blocked the use of an untrusted script.", "Untrusted script blocked" ]; + DeviceEvents + | where ActionType in (AppControls) + | where DeviceName ==p_FullDeviceName + | parse InitiatingProcessAccountUpn with Account_Name '@' Account_UPNSuffix + | project Account_Name, Account_UPNSuffix, Account_Sid=InitiatingProcessAccountSid + | summarize Account_Aux_AppConCount=count() by Account_Name, Account_UPNSuffix, Account_Sid + | top 10 by Account_Aux_AppConCount desc nulls last + }; + AppControlEvents('','','') +