diff --git a/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml b/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml index 71a0b8bfce..bd18098a05 100644 --- a/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml +++ b/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml @@ -20,7 +20,7 @@ relevantTechniques: - T1550.001 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let auditLookbackStart = 2d; let auditLookbackEnd = 1d; diff --git a/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml b/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml index 8d9770e88b..9e8904e0ec 100644 --- a/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml +++ b/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml @@ -20,7 +20,7 @@ relevantTechniques: - T1550.001 tags: - Solorigate - - Nobelium + - NOBELIUM query: | AuditLogs | where OperationName has_any ("Add service principal", "Certificates and secrets management") // captures "Add service principal", "Add service principal credentials", and "Update application - Certificates and secrets management" events diff --git a/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml b/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml index bd26c43752..8013895094 100644 --- a/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml +++ b/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml @@ -17,7 +17,7 @@ relevantTechniques: - T1098 tags: - Solorigate - - Nobelium + - NOBELIUM query: | AuditLogs diff --git a/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml b/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml index 32af272bd4..4b3506c2d4 100644 --- a/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml +++ b/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml @@ -20,7 +20,7 @@ relevantTechniques: - T1550.001 tags: - Solorigate - - Nobelium + - NOBELIUM query: | AuditLogs | where OperationName has_any ("Add service principal", "Certificates and secrets management") // captures "Add service principal", "Add service principal credentials", and "Update application - Certificates and secrets management" events diff --git a/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml b/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml index f91e650534..74b1c40da5 100644 --- a/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml +++ b/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml @@ -25,7 +25,7 @@ relevantTechniques: tags: - Sunburst - Solorigate - - Nobelium + - NOBELIUM query: | DeviceEvents diff --git a/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml b/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml index 96e19030dd..075fdf2cdf 100644 --- a/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml +++ b/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1195.002 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]); diff --git a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml index eeae15d6ee..4f740d0ccd 100644 --- a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml +++ b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml @@ -26,7 +26,7 @@ relevantTechniques: - T1005 tags: - Solorigate - - Nobelium + - NOBELIUM query: | (union isfuzzy=true (SecurityEvent | where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. diff --git a/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml b/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml index 7684b52d18..b9162b8ce4 100644 --- a/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml +++ b/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml @@ -26,7 +26,7 @@ relevantTechniques: - T1204 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let timeframe = 1d; let AccountAllowList = dynamic(['SYSTEM']); diff --git a/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml b/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml index 0be3132d49..2a6f157368 100644 --- a/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml +++ b/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml @@ -25,7 +25,7 @@ relevantTechniques: - T1078 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let timeframe = 1d; let cmdList = dynamic(["Set-CASMailbox","ActiveSyncAllowedDeviceIDs","add"]); diff --git a/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml b/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml index e97bc53c70..adcafd8b9c 100644 --- a/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml +++ b/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml @@ -35,7 +35,7 @@ tactics: relevantTechniques: - T1102 tags: - - Nobelium + - NOBELIUM query: | let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org']); diff --git a/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml b/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml index bc624f9c5e..8a52b10a62 100644 --- a/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml +++ b/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml @@ -19,7 +19,7 @@ relevantTechniques: - T1554 tags: - Solorigate - - Nobelium + - NOBELIUM query: | // How far back to look for events from let timeframe = 1d; diff --git a/Detections/MultipleDataSources/SUNSPOTHashes.yaml b/Detections/MultipleDataSources/SUNSPOTHashes.yaml index 6c9293a7f9..9810e33379 100644 --- a/Detections/MultipleDataSources/SUNSPOTHashes.yaml +++ b/Detections/MultipleDataSources/SUNSPOTHashes.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1554 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]); union isfuzzy=true( diff --git a/Detections/MultipleDataSources/SUNSPOTLogFile.yaml b/Detections/MultipleDataSources/SUNSPOTLogFile.yaml index 5480d7ff8a..038bfb1639 100644 --- a/Detections/MultipleDataSources/SUNSPOTLogFile.yaml +++ b/Detections/MultipleDataSources/SUNSPOTLogFile.yaml @@ -23,7 +23,7 @@ relevantTechniques: - T1554 tags: - Solorigate - - Nobelium + - NOBELIUM query: | union isfuzzy=true (DeviceFileEvents diff --git a/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml b/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml index 0f8ddbf801..9cd9d641dc 100644 --- a/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml +++ b/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml @@ -31,7 +31,7 @@ relevantTechniques: - T1562 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let servicelist = dynamic(['Services\\HealthService', 'Services\\Sense', 'Services\\WinDefend', 'Services\\MsSecFlt', 'Services\\DiagTrack', 'Services\\SgrmBroker', 'Services\\SgrmAgent', 'Services\\AATPSensorUpdater' , 'Services\\AATPSensor', 'Services\\mpssvc']); diff --git a/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml b/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml index 45c5ddb5a8..1d3c9f5dde 100644 --- a/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml +++ b/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml @@ -34,7 +34,7 @@ relevantTechniques: - T1102 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]); diff --git a/Detections/MultipleDataSources/Solorigate-VM-Network.yaml b/Detections/MultipleDataSources/Solorigate-VM-Network.yaml index a700df705d..e5b24c9ac7 100644 --- a/Detections/MultipleDataSources/Solorigate-VM-Network.yaml +++ b/Detections/MultipleDataSources/Solorigate-VM-Network.yaml @@ -23,7 +23,7 @@ relevantTechniques: - T1102 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]); diff --git a/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml b/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml index 233598e7b9..cbcbceaf81 100644 --- a/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml +++ b/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1114 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let starttime = 14d; diff --git a/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml b/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml index 12eabd00f0..05fdf2b244 100644 --- a/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml +++ b/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1195 tags: - Solorigate - - Nobelium + - NOBELIUM query: | DeviceInfo diff --git a/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml b/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml index a2249dd8b2..c7d1313a66 100644 --- a/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml +++ b/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml @@ -20,7 +20,7 @@ relevantTechniques: - T1005 tags: - Solorigate - - Nobelium + - NOBELIUM query: | // Adjust this to use a longer timeframe to identify ADFS servers diff --git a/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml b/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml index eee36da05c..df581e9247 100644 --- a/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml +++ b/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1547 tags: - - Nobelium + - NOBELIUM query: | SecurityEvent | where EventID == 4688 diff --git a/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml b/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml index 62a6e00233..c6322369db 100644 --- a/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml +++ b/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1059 tags: - - Nobelium + - NOBELIUM query: | let cmdTokens0 = dynamic(['vbscript','jscript']); let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']); diff --git a/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml b/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml index 39d8319413..63c6173abc 100644 --- a/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml +++ b/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml @@ -18,7 +18,7 @@ relevantTechniques: - T1554 tags: - Solorigate - - Nobelium + - NOBELIUM query: | // How far back to look for events from let timeframe = 1d; diff --git a/Detections/SecurityEvent/SolorigateNamedPipe.yaml b/Detections/SecurityEvent/SolorigateNamedPipe.yaml index 386b1c0e8a..9a8e074d9a 100644 --- a/Detections/SecurityEvent/SolorigateNamedPipe.yaml +++ b/Detections/SecurityEvent/SolorigateNamedPipe.yaml @@ -15,7 +15,7 @@ tactics: - LateralMovement tags: - Solorigate - - Nobelium + - NOBELIUM query: | (union isfuzzy=true diff --git a/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml b/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml index cbc7fdc488..f46a6c74b5 100644 --- a/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml +++ b/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml @@ -19,7 +19,7 @@ relevantTechniques: - T1078.004 tags: - Solorigate - - Nobelium + - NOBELIUM query: | SigninLogs | where AppId =~ "1b730954-1685-4b74-9bfd-dac224a7b894" // AppDisplayName IS Azure Active Directory PowerShell diff --git a/Hunting Queries/DnsEvents/Solorigate-DNS-Pattern.yaml b/Hunting Queries/DnsEvents/Solorigate-DNS-Pattern.yaml index 7f62fe00c5..90dc62755d 100644 --- a/Hunting Queries/DnsEvents/Solorigate-DNS-Pattern.yaml +++ b/Hunting Queries/DnsEvents/Solorigate-DNS-Pattern.yaml @@ -12,7 +12,7 @@ relevantTechniques: - T1568 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let cloudApiTerms = dynamic(["api", "east", "west"]); diff --git a/Hunting Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml b/Hunting Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml index bf05f7c8f3..3101716d22 100644 --- a/Hunting Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml +++ b/Hunting Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml @@ -16,7 +16,7 @@ relevantTechniques: - T1568 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let dictionary = dynamic(["r","q","3","g","s","a","l","t","6","u","1","i","y","f","z","o","p","5","7","2","d","4","9","b","n","x","8","c","v","m","k","e","w","h","j"]); diff --git a/Hunting Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml b/Hunting Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml index 54a365ef87..ba8a881dae 100644 --- a/Hunting Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml +++ b/Hunting Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml @@ -25,7 +25,7 @@ relevantTechniques: - T1204 tags: - Solorigate - - Nobelium + - NOBELIUM query: | // historical time frame let StartTime = 7d; diff --git a/Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml b/Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml index 1ab957317c..10248ed7c9 100644 --- a/Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml +++ b/Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml @@ -15,7 +15,7 @@ relevantTechniques: - T1562.001 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let includeProc = dynamic(["sc.exe","net1.exe","net.exe", "taskkill.exe", "cmd.exe", "powershell.exe"]); diff --git a/Hunting Queries/MultipleDataSources/SolarWindsInventory.yaml b/Hunting Queries/MultipleDataSources/SolarWindsInventory.yaml index 9052cc96fc..6cdc87f761 100644 --- a/Hunting Queries/MultipleDataSources/SolarWindsInventory.yaml +++ b/Hunting Queries/MultipleDataSources/SolarWindsInventory.yaml @@ -15,7 +15,7 @@ relevantTechniques: - T1072 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let timeframe = 30d; diff --git a/Hunting Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml b/Hunting Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml index 21974e823e..12d72d54bd 100644 --- a/Hunting Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml +++ b/Hunting Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml @@ -12,7 +12,7 @@ relevantTechniques: - T1114.002 tags: - Solorigate - - Nobelium + - NOBELIUM query: | //Adjust this value to exclude historical activity as known good diff --git a/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml b/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml index 9450551926..3890ac63c2 100644 --- a/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml +++ b/Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml @@ -18,7 +18,7 @@ relevantTechniques: - T1020 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let timeframe = 1d; diff --git a/Hunting Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml b/Hunting Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml index f0bb5a4be2..730c99d771 100644 --- a/Hunting Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml +++ b/Hunting Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml @@ -16,7 +16,7 @@ relevantTechniques: - T1114 tags: - Solorigate - - Nobelium + - NOBELIUM query: | // Adjust the timeframe to change the window events need to occur within to alert diff --git a/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml b/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml index c276154e09..ef761ab728 100644 --- a/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml +++ b/Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml @@ -18,7 +18,7 @@ relevantTechniques: - T1078 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let WellKnownLocalSIDs = "S-1-5-[0-9][0-9]$"; diff --git a/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml b/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml index fdadfe4d59..2bc3a194f4 100644 --- a/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml +++ b/Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml @@ -24,7 +24,7 @@ relevantTechniques: - T1074 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let startdate = 1d; let lookupwindow = 2m; diff --git a/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml b/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml index ac89df9349..110418bdf9 100644 --- a/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml +++ b/Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml @@ -13,7 +13,7 @@ relevantTechniques: - T1078 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let IP_Data = (externaldata(network:string) diff --git a/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml b/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml index 4a2568d3c3..5a1be6367b 100644 --- a/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml +++ b/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml @@ -15,7 +15,7 @@ relevantTechniques: - T1567 tags: - Solorigate - - Nobelium + - NOBELIUM query: | let excludeIps = dynamic(["127.0.0.1", "::1"]);