Assign new GUIDs
This commit is contained in:
Родитель
d5ddad471e
Коммит
b47029e6b9
|
@ -1,4 +1,4 @@
|
|||
id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd
|
||||
id: 45076281-35ae-45e0-b443-c32aa0baf965
|
||||
name: Probable AdFind Recon Tool Usage (Normalized Process Events)
|
||||
description: |
|
||||
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
|
||||
id: bdf04f58-242b-4729-b376-577c4bdf5d3a
|
||||
name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
|
||||
description: |
|
||||
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 4a3073ac-7383-48a9-90a8-eb6716183a54
|
||||
id: 631d02df-ab51-46c1-8d72-32d0cfec0720
|
||||
name: SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
|
||||
description: |
|
||||
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
|
||||
id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
|
||||
name: Base64 encoded Windows process command-lines (Normalized Process Events)
|
||||
description: |
|
||||
'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 75bf9902-0789-47c1-a5d8-f57046aa72df
|
||||
id: 61988db3-0565-49b5-b8e3-747195baac6e
|
||||
name: Malware in the recycle bin (Normalized Process Events)
|
||||
description: |
|
||||
'Identifies malware that has been hidden in the recycle bin.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 0e429446-2798-49e4-924d-c37338f24e23
|
||||
id: 28233666-c235-4d55-b456-5cfdda29d62d
|
||||
name: Certutil (LOLBins and LOLScripts, Normalized Process Events)
|
||||
description: |
|
||||
'This detection uses Sysmon telemetry to hunt Certutil activities'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 8afd1086-fc9a-4d26-b3ff-5c794c79a59a
|
||||
id: 9ccb1859-7a79-4a8a-a382-fa54d4dace47
|
||||
name: Exchange PowerShell Snapin Added (Normalized Process Events)
|
||||
description: |
|
||||
'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513
|
||||
id: 4500a2ff-455b-4ee7-a21d-5ac5c7c9ea87
|
||||
name: Host Exporting Mailbox and Removing Export (Normalized Process Events)
|
||||
description: |
|
||||
'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: a344e28e-095d-47fb-84a8-d06edd31d2cb
|
||||
id: a2b58512-1298-4a25-a4c7-88ddfed78b0d
|
||||
name: Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
|
||||
description: |
|
||||
'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 87c1f90a-f868-4528-a9c1-15520249cae6
|
||||
id: 3a8e307b-5037-4182-a4e2-e76d99cecab8
|
||||
name: Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
|
||||
description: |
|
||||
'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
|
||||
id: 4846436d-5183-4a33-a975-fc892ffea91d
|
||||
name: Powercat Download (Normalized Process Events)
|
||||
description: |
|
||||
'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 05208917-82de-46f7-a190-a65739a690f4
|
||||
id: 24e66452-2aaa-455f-b0c6-a0d8216bbe79
|
||||
name: Entropy for Processes for a given Host (Normalized Process Events)
|
||||
description: |
|
||||
'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time).
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 278592b5-612b-48a4-bb38-4c01ff8ee2a5
|
||||
id: c3f1606e-48eb-464e-a60c-d53af5a5796e
|
||||
name: SolarWinds Inventory (Normalized Process Events)
|
||||
description: |
|
||||
'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: dd6fb889-43ef-44e1-a01d-093ab4bb12b2
|
||||
id: 1eacb645-9354-49cd-8872-8d68a4fd3f59
|
||||
name: Suspicious enumeration using Adfind tool (Normalized Process Events)
|
||||
description: |
|
||||
Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 024b3726-add7-4e06-842d-932034ba21f7
|
||||
id: 614a59c5-2dae-4430-bb16-951a28a5f05f
|
||||
name: Windows System Shutdown/Reboot (Normalized Process Events)
|
||||
description: |
|
||||
'This detection uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529)'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 36abe031-962d-482e-8e1e-a556ed99d5a3
|
||||
id: bd89c7a0-76cb-4fa1-bc64-c366687cda9e
|
||||
name: Cscript script daily summary breakdown (Normalized Process Events)
|
||||
description: |
|
||||
'breakdown of scripts running in the environment'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: a1e993de-770a-4434-83e9-9e3b47a6e470
|
||||
id: 7b3ed03a-7474-4dad-9c6a-92e7b69f6584
|
||||
name: Enumeration of users and groups (Normalized Process Events)
|
||||
description: |
|
||||
'Finds attempts to list users or groups using the built-in Windows 'net' tool '
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 5e76eaf9-79a7-448c-bace-28e5b53b8396
|
||||
id: 374a40ba-73fc-4d70-95ac-524b5765ffa2
|
||||
name: Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
|
||||
description: |
|
||||
'Summarizes uses of uncommon & undocumented commandline switches to create persistence
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: d83f40fc-bbcc-4020-8d45-ad2d82355cb2
|
||||
id: 93a4ed6c-83e6-4202-8df4-e340dbd20a38
|
||||
name: PowerShell downloads (Normalized Process Events)
|
||||
description: |
|
||||
'Finds PowerShell execution events that could involve a download'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 2ff4b10c-7056-4898-83fd-774104189fd5
|
||||
id: 4e3af8e3-a29f-4eec-ac25-55517dca6512
|
||||
name: Uncommon processes - bottom 5% (Normalized Process Events)
|
||||
description: |
|
||||
'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: c2074fce-b5ba-4c0a-9332-d08b8fc43c53
|
||||
id: 365a889c-ae0f-461d-bdf1-d6ce11d0ef6f
|
||||
name: Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
|
||||
description: |
|
||||
'This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities'
|
||||
|
|
Загрузка…
Ссылка в новой задаче