Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

MTPQueries&IOCPlaceholder

This commit is contained in:
Pete Bryan 2021-03-05 15:00:41 -08:00
Родитель 257ae42ec6
Коммит ab5b9808d3
4 изменённых файлов: 59 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

32
Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml Normal file
Просмотреть файл

@ -0,0 +1,32 @@
id: 87c1f90a-f868-4528-a9c1-15520249cae6
name: Nishang Reverse TCP Shell in Base64
description: |
'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Exfiltration
relevantTechniques:
- T1011
query: |
SecurityEvent
| where EventID == 4688
| where Process in("powershell.exe","powershell_ise.exe") and CommandLine contains "-e"
| mvexpand SS = split(CommandLine, " ")
| where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}"
| extend DecodeString = base64_decodestring(tostring(SS))
| extend FinalString = replace("\\0", "", DecodeString)
| where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex")
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

2
Hunting Queries/SecurityEvent/PowerCatDownload.yaml
Просмотреть файл

@ -14,7 +14,7 @@ query: |
SecurityEvent SecurityEvent
| where EventID == 4688 | where EventID == 4688
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where CommandLine has "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1" | where CommandLine hassuffix "powercat.ps1"
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings: entityMappings:
- entityType: Account - entityType: Account

25
Hunting Queries/SecurityEvent/ProcdumpofLsass.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
name: Procdump of LSASS memory
description: |
'Look for evidence of Procdump being used to dump LSASS process. Often used by attackers to access credentials stored on a system.'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- CredentialAccess
relevantTechniques:
- T1003
query: |
SecurityEvent
| where (Process has_any ("procdump.exe", "procdump64.exe") and CommandLine has "lsass")
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

1
Sample Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilities-March2021.csv Normal file
Просмотреть файл

@ -0,0 +1 @@
DateAdded,IoC,Type,TLP,Release
1 DateAdded IoC Type TLP Release