Updating entity mapping for ASIM detections
This commit is contained in:
Родитель
3141233390
Коммит
9d21081217
|
@ -40,17 +40,30 @@ query: |
|
|||
| extend
|
||||
IpAddresses = strcat_array(IpAddresses, ", "),
|
||||
ReportedBy = strcat_array(ReportedBy, ", ")
|
||||
| extend
|
||||
Name = iif(
|
||||
TargetUsername contains "@"
|
||||
, tostring(split(TargetUsername, '@', 0)[0])
|
||||
, TargetUsername
|
||||
),
|
||||
UPNSuffix = iif(
|
||||
TargetUsername contains "@"
|
||||
, tostring(split(TargetUsername, '@', 1)[0])
|
||||
, ""
|
||||
)
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
- identifier: Name
|
||||
columnName: Name
|
||||
- identifier: UPNSuffix
|
||||
columnName: UPNSuffix
|
||||
|
||||
customDetails:
|
||||
IpAddresses: IpAddresses
|
||||
ReportedBy: ReportedBy
|
||||
version: 1.2.2
|
||||
version: 1.2.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -28,15 +28,13 @@ query: |
|
|||
, Users = make_set(TargetUserId,100)
|
||||
by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
|
||||
| where UserCount > FailureThreshold
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr
|
||||
|
||||
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.1.2
|
||||
columnName: SrcDvcIpAddr
|
||||
version: 1.1.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -42,14 +42,13 @@ query: |
|
|||
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet,
|
||||
successfulAccountSigninCount, successfulAccountSigninSet, Type
|
||||
| order by disabledAccountLoginAttempts
|
||||
| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr
|
||||
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.2
|
||||
columnName: SrcDvcIpAddr
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -57,17 +57,21 @@ query: |
|
|||
"moneropool.ru", "cryptonotepool.org.uk", "extremepool.org", "extremehash.com", "hashinvest.net", "unipool.pro", "crypto-pools.org", "monero.net",
|
||||
"backup-pool.com", "mooo.com", "freeyy.me", "cryptonight.net", "shscrypto.net"]);
|
||||
_Im_Dns(domain_has_any=minersDomains)
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.3.2
|
||||
columnName: SrcIpAddr
|
||||
version: 1.3.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -48,16 +48,20 @@ query: |
|
|||
"tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt",
|
||||
"s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net"]);
|
||||
_Im_Dns(domain_has_any=torProxies)
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
columnName: SrcIpAddr
|
||||
version: 1.3.2
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
|
|
|
@ -53,13 +53,12 @@ query: |
|
|||
| where count_ > threshold
|
||||
| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
|
||||
) on SrcIpAddr
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.3.3
|
||||
columnName: SrcIpAddr
|
||||
version: 1.3.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -57,7 +57,7 @@ query: |
|
|||
| where DnsQuery !contains "/" and DnsQuery contains "."};
|
||||
nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())
|
||||
| extend sld = tostring(split(DnsQuery, ".")[-2])
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr
|
||||
| where dcount_sld > threshold
|
||||
// Filter out previously seen IPs
|
||||
| join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))
|
||||
|
@ -66,14 +66,13 @@ query: |
|
|||
| where dcount_sld > threshold ) on SrcIpAddr
|
||||
// Pull out sample NXDomain responses for those remaining potentially infected IPs
|
||||
| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr
|
||||
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld
|
||||
| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr
|
||||
| summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.3.2
|
||||
columnName: SrcIpAddr
|
||||
version: 1.3.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -27,29 +27,29 @@ query: |
|
|||
let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
|
||||
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
|
||||
imFileEvent
|
||||
| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)
|
||||
| extend
|
||||
timestamp = TimeGenerated,
|
||||
AccountCustomEntity = User,
|
||||
HostCustomEntity = DvcHostname,
|
||||
FileHashCustomEntity = TargetFileMD5,
|
||||
AlgorithmCustomEntity = "MD5"
|
||||
| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
|
||||
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
|
||||
| extend AlgorithmType = "MD5"
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
- identifier: HostName
|
||||
columnName: DvcHostname
|
||||
- identifier: DnsDomain
|
||||
columnName: DvcDomain
|
||||
- entityType: FileHash
|
||||
fieldMappings:
|
||||
- identifier: Algorithm
|
||||
columnName: AlgorithmCustomEntity
|
||||
columnName: AlgorithmType
|
||||
- identifier: Value
|
||||
columnName: FileHashCustomEntity
|
||||
version: 1.0.5
|
||||
columnName: TargetFileMD5
|
||||
version: 1.0.6
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -31,13 +31,15 @@ query: |
|
|||
| where TimeGenerated > ago(1d)
|
||||
| where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
|
||||
| where Process !in (known_processes)
|
||||
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname
|
||||
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname, DvcDomain
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: DvcHostname
|
||||
version: 1.0.3
|
||||
- identifier: DnsDomain
|
||||
columnName: DvcDomain
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -18,22 +18,27 @@ relevantTechniques:
|
|||
- T1036
|
||||
query: |
|
||||
imProcess
|
||||
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
|
||||
| where Process !endswith "sdelete.exe"
|
||||
| where CommandLine !has "sdelete"
|
||||
| where CommandLine has_all ("accepteula", "-s", "-r", "-q")
|
||||
| where Process !endswith "sdelete.exe"
|
||||
| where CommandLine !has "sdelete"
|
||||
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
- identifier: HostName
|
||||
columnName: DvcHostname
|
||||
- identifier: DnsDomain
|
||||
columnName: DvcDomain
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: DvcIpAddr
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
|
|
|
@ -17,32 +17,42 @@ tags:
|
|||
-
|
||||
query: |
|
||||
imProcess
|
||||
| where EventType =~ "ProcessCreated"
|
||||
| where Process endswith "svchost.exe"
|
||||
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
|
||||
| extend timekey = bin(TimeGenerated, 1m)
|
||||
| project timekey, ActingProcessId, Dvc
|
||||
| join kind=inner (imProcess
|
||||
| where EventType =~ "ProcessCreated"
|
||||
| where Process endswith "svchost.exe"
|
||||
| where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc"
|
||||
| extend timekey = bin(TimeGenerated, 1m)
|
||||
| project timekey, ActingProcessId, Dvc
|
||||
| join kind=inner (
|
||||
imProcess
|
||||
| where EventType =~ "ProcessCreated"
|
||||
| where Process =~ "sdelete.exe" or CommandLine has "sdelete"
|
||||
| where ActingProcessName endswith "svchost.exe"
|
||||
| where CommandLine has_all ("-s", "-r")
|
||||
| extend timekey = bin(TimeGenerated, 1m)
|
||||
) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
|
||||
)
|
||||
on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc
|
||||
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: DvcIpAddr
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: Dvc
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -17,14 +17,15 @@ relevantTechniques:
|
|||
- T1569
|
||||
- T1003
|
||||
query: |
|
||||
let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]);
|
||||
let files2 = dynamic(["svchost.exe","wdmsvc.exe"]);
|
||||
let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77", "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]);
|
||||
let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]);
|
||||
imProcessCreate
|
||||
| where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))
|
||||
// Increase risk score if recent alerts for the host
|
||||
| join kind=leftouter (SecurityAlert
|
||||
let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]);
|
||||
let files2 = dynamic(["svchost.exe","wdmsvc.exe"]);
|
||||
let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77", "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]);
|
||||
let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]);
|
||||
imProcessCreate
|
||||
| where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))
|
||||
// Increase risk score if recent alerts for the host
|
||||
| join kind=leftouter (
|
||||
SecurityAlert
|
||||
| where ProviderName =~ "MDATP"
|
||||
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
|
||||
| mv-expand todynamic(Entities)
|
||||
|
@ -32,23 +33,31 @@ query: |
|
|||
| where isnotempty(DvcId)
|
||||
// Higher risk score are for Defender alerts related to threat actor
|
||||
| extend AlertRiskScore = iif(ThreatName has_any ("Backdoor:MSIL/ShellClient.A", "Backdoor:MSIL/ShellClient.A!dll", "Trojan:MSIL/Mimikatz.BA!MTB"), 1.0, 0.5)
|
||||
| project DvcId, AlertRiskScore) on DvcId
|
||||
| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)
|
||||
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername
|
||||
| project DvcId, AlertRiskScore)
|
||||
on DvcId
|
||||
| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)
|
||||
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: HostCustomEntity
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: File
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: FileName
|
||||
version: 1.2.0
|
||||
version: 1.2.1
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -20,41 +20,47 @@ tags:
|
|||
SchemaVersion: 0.1.0
|
||||
|
||||
query: |
|
||||
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
|
||||
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
|
||||
imProcessCreate
|
||||
//looks for execution from a shell
|
||||
| where ActingProcessName has_any (parentProcesses)
|
||||
| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
|
||||
| where ActingProcessFileName in~ (parentProcesses)
|
||||
// main filter
|
||||
| where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
|
||||
// AdFind common Flags to check for from various threat actor TTPs
|
||||
or CommandLine has_any (args)
|
||||
| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = TargetProcessSHA256
|
||||
|
||||
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
|
||||
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
|
||||
imProcessCreate
|
||||
//looks for execution from a shell
|
||||
| where ActingProcessName has_any (parentProcesses)
|
||||
| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
|
||||
| where ActingProcessFileName in~ (parentProcesses)
|
||||
// main filter
|
||||
| where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
|
||||
// AdFind common Flags to check for from various threat actor TTPs
|
||||
or CommandLine has_any (args)
|
||||
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: HostCustomEntity
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: Process
|
||||
fieldMappings:
|
||||
- identifier: ProcessId
|
||||
columnName: ProcessCustomEntity
|
||||
columnName: ActingProcessName
|
||||
- identifier: CommandLine
|
||||
columnName: CommandLineCustomEntity
|
||||
columnName: CommandLine
|
||||
- entityType: FileHash
|
||||
fieldMappings:
|
||||
- identifier: Algorithm
|
||||
columnName: AlgorithmCustomEntity
|
||||
columnName: AlgorithmType
|
||||
- identifier: Value
|
||||
columnName: FileHashCustomEntity
|
||||
version: 1.1.3
|
||||
columnName: TargetProcessSHA256
|
||||
version: 1.1.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -26,17 +26,24 @@ query: |
|
|||
| where Process hassuffix 'rundll32.exe'
|
||||
| where CommandLine has_any ('Execute','RegRead','window.close')
|
||||
| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
|
||||
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User
|
||||
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
version: 1.1.3
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.1.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -28,28 +28,30 @@ query: |
|
|||
imProcessCreate
|
||||
| where Process hassuffix 'solarwinds.businesslayerhost.exe'
|
||||
| where not(Process has_any (excludeProcs))
|
||||
| extend
|
||||
timestamp = TimeGenerated,
|
||||
AccountCustomEntity = ActorUsername,
|
||||
HostCustomEntity = User,
|
||||
AlgorithmCustomEntity = "MD5",
|
||||
FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented
|
||||
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
- entityType: FileHash
|
||||
fieldMappings:
|
||||
- identifier: Algorithm
|
||||
columnName: AlgorithmCustomEntity
|
||||
columnName: AlgorithmType
|
||||
- identifier: Value
|
||||
columnName: FileHashCustomEntity
|
||||
version: 1.1.3
|
||||
columnName: TargetFileMD5
|
||||
version: 1.1.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -24,21 +24,28 @@ tags:
|
|||
|
||||
query: |
|
||||
imProcessCreate
|
||||
| where CommandLine contains "TVqQAAMAAAAEAAA"
|
||||
| where isnotempty(Process)
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc
|
||||
| where CommandLine contains "TVqQAAMAAAAEAAA"
|
||||
| where isnotempty(Process)
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
|
||||
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
version: 1.1.2
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.1.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -20,24 +20,31 @@ tags:
|
|||
SchemaVersion: 0.1.0
|
||||
|
||||
query: |
|
||||
let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);
|
||||
imProcessCreate
|
||||
| where CommandLine has "recycler"
|
||||
| where Process has_any (procList)
|
||||
| extend FileName = tostring(split(Process, '\\')[-1])
|
||||
| where FileName in~ (procList)
|
||||
| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc
|
||||
let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);
|
||||
imProcessCreate
|
||||
| where CommandLine has "recycler"
|
||||
| where Process has_any (procList)
|
||||
| extend FileName = tostring(split(Process, '\\')[-1])
|
||||
| where FileName in~ (procList)
|
||||
| project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
|
||||
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
|
||||
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: AccountCustomEntity
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: NTDomain
|
||||
columnName: AccountNTDomain
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: HostCustomEntity
|
||||
version: 1.2.3
|
||||
- identifier: HostName
|
||||
columnName: HostName
|
||||
- identifier: DnsDomain
|
||||
columnName: HostNameDomain
|
||||
version: 1.2.4
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
id: 01e8ffff-dc0c-43fe-aa22-d459c4204553
|
||||
name: Discord CDN Risky File Download (ASIM Web Session Schema)
|
||||
description: |
|
||||
'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.
|
||||
'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment.
|
||||
Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.
|
||||
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
@ -31,11 +32,14 @@ query: |
|
|||
| summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url
|
||||
| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url
|
||||
| where RequestURL has_any (".bin",".exe",".dll",".bin",".msi")
|
||||
| extend AccountName = tostring(split(SourceUser, "@")[0]), AccountUPNSuffix = tostring(split(SourceUser, "@")[1])
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: SourceUser
|
||||
- identifier: Name
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountUPNSuffix
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
|
@ -44,13 +48,13 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: RequestURL
|
||||
version: 1.1.2
|
||||
version: 1.1.3
|
||||
kind: Scheduled
|
||||
metadata:
|
||||
source:
|
||||
kind: Community
|
||||
author:
|
||||
name: Pete Bryan
|
||||
name: Microsoft Security Research
|
||||
support:
|
||||
tier: Community
|
||||
categories:
|
||||
|
|
|
@ -31,8 +31,8 @@ query: |
|
|||
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
|
||||
let fullUAList = array_concat(knownUserAgents,customUserAgents);
|
||||
_Im_WebSession(httpuseragent_has_any=fullUAList)
|
||||
| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
|
||||
|
||||
| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
|
||||
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
|
||||
entityMappings:
|
||||
- entityType: URL
|
||||
fieldMappings:
|
||||
|
@ -45,7 +45,9 @@ entityMappings:
|
|||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: SrcUsername
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountUPNSuffix
|
||||
|
||||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: The host {{SrcIpAddr}} is potentially running a crypto miner
|
||||
|
|
|
@ -32,7 +32,8 @@ query: |
|
|||
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
|
||||
let fullUAList = array_concat(knownUserAgents,customUserAgents);
|
||||
_Im_WebSession(httpuseragent_has_any=fullUAList)
|
||||
| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
|
||||
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
|
||||
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
|
||||
entityMappings:
|
||||
- entityType: URL
|
||||
fieldMappings:
|
||||
|
@ -45,7 +46,9 @@ entityMappings:
|
|||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: SrcUsername
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountUPNSuffix
|
||||
|
||||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running a hacking tool'
|
||||
|
|
|
@ -33,8 +33,8 @@ query: |
|
|||
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
|
||||
let fullUAList = array_concat(knownUserAgents,customUserAgents);
|
||||
_Im_WebSession(httpuseragent_has_any=fullUAList)
|
||||
| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
|
||||
|
||||
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
|
||||
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
|
||||
entityMappings:
|
||||
- entityType: URL
|
||||
fieldMappings:
|
||||
|
@ -47,7 +47,9 @@ entityMappings:
|
|||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: SrcUsername
|
||||
columnName: AccountName
|
||||
- identifier: UPNSuffix
|
||||
columnName: AccountUPNSuffix
|
||||
|
||||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running PowerShell'
|
||||
|
|
|
@ -108,6 +108,7 @@ query: |
|
|||
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
||||
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
||||
| extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0])
|
||||
| project-away DomainIndex
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
|
Загрузка…
Ссылка в новой задаче