capitalize for consistency

2021-03-04 10:54:36 -08:00 · 2021-03-04 10:54:36 -08:00 · a7194fafad
--- a/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml
+++ b/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml
@ -20,7 +20,7 @@ relevantTechniques:
  - T1550.001
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  let auditLookbackStart = 2d;
  let auditLookbackEnd = 1d;
--- a/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml
+++ b/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml
@ -20,7 +20,7 @@ relevantTechniques:
  - T1550.001
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  AuditLogs
  | where OperationName has_any ("Add service principal", "Certificates and secrets management") // captures "Add service principal", "Add service principal credentials", and "Update application - Certificates and secrets management" events
--- a/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml
+++ b/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml
@ -17,7 +17,7 @@ relevantTechniques:
  - T1098
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  AuditLogs
--- a/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
+++ b/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
@ -20,7 +20,7 @@ relevantTechniques:
  - T1550.001
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  AuditLogs
  | where OperationName has_any ("Add service principal", "Certificates and secrets management") // captures "Add service principal", "Add service principal credentials", and "Update application - Certificates and secrets management" events
--- a/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml
+++ b/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml
@ -25,7 +25,7 @@ relevantTechniques:
 tags:
  - Sunburst
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query:  |

  DeviceEvents
--- a/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml
+++ b/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml
@ -21,7 +21,7 @@ relevantTechniques:
  - T1195.002
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query:  |

  let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
--- a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
+++ b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
@ -26,7 +26,7 @@ relevantTechniques:
  - T1005
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query:  |
  (union isfuzzy=true (SecurityEvent 
  | where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
--- a/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml
+++ b/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml
@ -26,7 +26,7 @@ relevantTechniques:
  - T1204
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  let timeframe = 1d;
  let AccountAllowList = dynamic(['SYSTEM']);
--- a/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml
+++ b/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml
@ -25,7 +25,7 @@ relevantTechniques:
  - T1078
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  let timeframe = 1d;
  let cmdList = dynamic(["Set-CASMailbox","ActiveSyncAllowedDeviceIDs","add"]);
--- a/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml
+++ b/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml
@ -35,7 +35,7 @@ tactics:
 relevantTechniques:
  - T1102
 tags:
-  - Nobelium
+  - NOBELIUM
 query:  |  

  let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org']);
--- a/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml
+++ b/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml
@ -19,7 +19,7 @@ relevantTechniques:
  - T1554
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  // How far back to look for events from
  let timeframe = 1d;
--- a/Detections/MultipleDataSources/SUNSPOTHashes.yaml
+++ b/Detections/MultipleDataSources/SUNSPOTHashes.yaml
@ -21,7 +21,7 @@ relevantTechniques:
  - T1554
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]);
  union isfuzzy=true(
--- a/Detections/MultipleDataSources/SUNSPOTLogFile.yaml
+++ b/Detections/MultipleDataSources/SUNSPOTLogFile.yaml
@ -23,7 +23,7 @@ relevantTechniques:
  - T1554
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  union isfuzzy=true
  (DeviceFileEvents
--- a/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml
+++ b/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml
@ -31,7 +31,7 @@ relevantTechniques:
  - T1562
 tags: 
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
 
  let servicelist = dynamic(['Services\\HealthService', 'Services\\Sense', 'Services\\WinDefend', 'Services\\MsSecFlt', 'Services\\DiagTrack', 'Services\\SgrmBroker', 'Services\\SgrmAgent', 'Services\\AATPSensorUpdater' , 'Services\\AATPSensor', 'Services\\mpssvc']);
--- a/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml
+++ b/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml
@ -34,7 +34,7 @@ relevantTechniques:
  - T1102
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query:  |  

  let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);
--- a/Detections/MultipleDataSources/Solorigate-VM-Network.yaml
+++ b/Detections/MultipleDataSources/Solorigate-VM-Network.yaml
@ -23,7 +23,7 @@ relevantTechniques:
  - T1102
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query:  |  

  let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);
--- a/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml
+++ b/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml
@ -21,7 +21,7 @@ relevantTechniques:
  - T1114
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let starttime = 14d;
--- a/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml
+++ b/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml
@ -21,7 +21,7 @@ relevantTechniques:
  - T1195
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  DeviceInfo
--- a/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml
+++ b/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml
@ -20,7 +20,7 @@ relevantTechniques:
  - T1005
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  // Adjust this to use a longer timeframe to identify ADFS servers
--- a/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml
+++ b/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml
@ -17,7 +17,7 @@ tactics:
 relevantTechniques:
  - T1547
 tags:
-  - Nobelium
+  - NOBELIUM
 query: |
  SecurityEvent
  | where EventID == 4688
--- a/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml
+++ b/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml
@ -17,7 +17,7 @@ tactics:
 relevantTechniques:
  - T1059
 tags:
-  - Nobelium
+  - NOBELIUM
 query: |
  let cmdTokens0 = dynamic(['vbscript','jscript']);
  let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
--- a/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml
+++ b/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml
@ -18,7 +18,7 @@ relevantTechniques:
  - T1554
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  // How far back to look for events from
  let timeframe = 1d;
--- a/Detections/SecurityEvent/SolorigateNamedPipe.yaml
+++ b/Detections/SecurityEvent/SolorigateNamedPipe.yaml
@ -15,7 +15,7 @@ tactics:
  - LateralMovement
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  (union isfuzzy=true
--- a/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml
+++ b/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml
@ -19,7 +19,7 @@ relevantTechniques:
  - T1078.004
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  SigninLogs
  | where AppId =~ "1b730954-1685-4b74-9bfd-dac224a7b894" // AppDisplayName IS Azure Active Directory PowerShell
--- a/Queries/DnsEvents/Solorigate-DNS-Pattern.yaml
+++ b/Queries/DnsEvents/Solorigate-DNS-Pattern.yaml
@ -12,7 +12,7 @@ relevantTechniques:
  - T1568
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let cloudApiTerms = dynamic(["api", "east", "west"]);
--- a/Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml
+++ b/Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml
@ -16,7 +16,7 @@ relevantTechniques:
  - T1568
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let dictionary = dynamic(["r","q","3","g","s","a","l","t","6","u","1","i","y","f","z","o","p","5","7","2","d","4","9","b","n","x","8","c","v","m","k","e","w","h","j"]);
--- a/Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml
+++ b/Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml
@ -25,7 +25,7 @@ relevantTechniques:
  - T1204
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  // historical time frame
  let StartTime = 7d; 
--- a/Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml
+++ b/Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml
@ -15,7 +15,7 @@ relevantTechniques:
  - T1562.001
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let includeProc = dynamic(["sc.exe","net1.exe","net.exe", "taskkill.exe", "cmd.exe", "powershell.exe"]);
--- a/Queries/MultipleDataSources/SolarWindsInventory.yaml
+++ b/Queries/MultipleDataSources/SolarWindsInventory.yaml
@ -15,7 +15,7 @@ relevantTechniques:
  - T1072
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let timeframe = 30d; 
--- a/Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml
+++ b/Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml
@ -12,7 +12,7 @@ relevantTechniques:
  - T1114.002
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  //Adjust this value to exclude historical activity as known good
--- a/Queries/OfficeActivity/nonowner_MailboxLogin.yaml
+++ b/Queries/OfficeActivity/nonowner_MailboxLogin.yaml
@ -18,7 +18,7 @@ relevantTechniques:
  - T1020
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let timeframe = 1d;
--- a/Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml
+++ b/Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml
@ -16,7 +16,7 @@ relevantTechniques:
  - T1114
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  // Adjust the timeframe to change the window events need to occur within to alert
--- a/Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml
+++ b/Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml
@ -18,7 +18,7 @@ relevantTechniques:
  - T1078
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let WellKnownLocalSIDs = "S-1-5-[0-9][0-9]$";
--- a/Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml
+++ b/Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml
@ -24,7 +24,7 @@ relevantTechniques:
  - T1074
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |
  let startdate = 1d;
  let lookupwindow = 2m;
--- a/Queries/SigninLogs/Signins-From-VPS-Providers.yaml
+++ b/Queries/SigninLogs/Signins-From-VPS-Providers.yaml
@ -13,7 +13,7 @@ relevantTechniques:
  - T1078
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let IP_Data = (externaldata(network:string)
--- a/Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml
+++ b/Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml
@ -15,7 +15,7 @@ relevantTechniques:
  - T1567
 tags:
  - Solorigate
-  - Nobelium
+  - NOBELIUM
 query: |

  let excludeIps = dynamic(["127.0.0.1", "::1"]);