ASIM renames

Detections/ASimFileEvent/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 29a29e5d-354e-4f5e-8321-8b39d25047bf
-name: Dev-0228 File Path Hashes November 2021 - ASIM
+name: Dev-0228 File Path Hashes November 2021 (ASIM Version)
 description: |
    'This hunting query looks for  file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.
     The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.
@@ -15,7 +15,7 @@ tactics:
   - Execution
 relevantTechniques:
   - T1569
-query: | 
+query: |
     let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]);
     let files2 = dynamic(["svchost.exe","wdmsvc.exe"]);
     let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77",     "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]);

Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 0dd2a343-4bf9-4c93-a547-adf3658ddaec
-name: New EXE deployed via Default Domain or Default Domain Controller Policies ASIM
+name: New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
 description: |
   'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.
     A threat actor may use these policies to deploy files or scripts to all hosts in a domain.

Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 5b6ae038-f66e-4f74-9315-df52fd492be4
-name: Potential re-named sdelete usage ASIM
+name: Potential re-named sdelete usage (ASIM Version)
 description: |
   'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.
   A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.

Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 30c8b802-ace1-4408-bc29-4c5c5afb49e1
-name: Sdelete deployed via GPO and run recursively ASIM
+name: Sdelete deployed via GPO and run recursively (ASIM Version)
 description: |
   'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
     This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization'

Detections/ASimWebSession/DiscordCDNRiskyFileDownload(ASIM Version).yaml

@@ -1,5 +1,5 @@
 id: 01e8ffff-dc0c-43fe-aa22-d459c4204553
-name: Discord CDN Risky File Download ASIM
+name: Discord CDN Risky File Download (ASIM Version)
 description: |
   'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.
     This query uses the Advanced Security Information Model - https://docs.microsoft.com/azure/sentinel/normalization'

Detections/MultipleDataSources/PotentialFodhelperUACBypass(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: ac9e233e-44d4-45eb-b522-6e47445f6582
-name: Potential Fodhelper UAC Bypass ASIM
+name: Potential Fodhelper UAC Bypass (ASIM Version)
 description: |
   'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.'
 severity: Medium

Hunting Queries/ASimProcess/Discorddownloadinvokedfromcmdline(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 3169dc83-9e97-452c-afcc-baebdb0ddf7c
-name: Discord download invoked from cmd line (ASIM)
+name: Discord download invoked from cmd line (ASIM Version)
 description: |
   'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.'
 requiredDataConnectors: []

Hunting Queries/ASimProcess/imProcess_Dev-0056CommandLineActivityNovember2021(ASIMVersion).yaml

@@ -1,7 +1,7 @@
 id: 98fdd28d-9c13-431b-aca9-e6cfbb90a5a9
-name: Dev-0056 Command Line Activity November 2021 - MSIM
+name: Dev-0056 Command Line Activity November 2021 (ASIM Version)
 description: |
-  ' This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity. 
+  ' This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity.
     This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization'
 requiredDataConnectors: []
 tactics:

Hunting Queries/ASimRegistry/Crashdumpdisabledonhost(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 6cb193f3-7c6d-4b53-9153-49a09be830d7
-name: Crash dump disabled on host ASIM
+name: Crash dump disabled on host (ASIM Version)
 description: |
   'This detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.'
 requiredDataConnectors: []

Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 6bfea14f-2122-46b3-8f8b-3947e0fb6d92
-name: Dev-0322 Command Line Activity November 2021 - MSIM
+name: Dev-0322 Command Line Activity November 2021 (ASIM Version)
 description: |
   'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.
     The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.

Hunting Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml

@@ -1,5 +1,5 @@
 id: 9b72769e-6ab1-4736-988b-018d92dc5e62
-name: Dev-0322 File Drop Activity November 2021 - MSIM
+name: Dev-0322 File Drop Activity November 2021 (ASIM Version)
 description: |
   'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.
     The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.