Assign new GUIDs

Detections/ASimProcess/imProcess_AdFind_Usage.yaml

@@ -1,4 +1,4 @@
-id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd
+id: 45076281-35ae-45e0-b443-c32aa0baf965
 name: Probable AdFind Recon Tool Usage (Normalized Process Events)
 description: |
   'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.'

Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml

@@ -1,4 +1,4 @@
-id: d82e1987-4356-4a7b-bc5e-064f29b143c0
+id: bdf04f58-242b-4729-b376-577c4bdf5d3a
 name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
 description: |
   'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands

Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml

@@ -1,4 +1,4 @@
-id: 4a3073ac-7383-48a9-90a8-eb6716183a54
+id: 631d02df-ab51-46c1-8d72-32d0cfec0720
 name: SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
 description: |
   Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor

Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml

@@ -1,4 +1,4 @@
-id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad
+id: f8b3c49c-4087-499b-920f-0dcfaff0cbca
 name: Base64 encoded Windows process command-lines (Normalized Process Events)
 description: |
   'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.'

Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml

@@ -1,4 +1,4 @@
-id: 75bf9902-0789-47c1-a5d8-f57046aa72df
+id: 61988db3-0565-49b5-b8e3-747195baac6e
 name: Malware in the recycle bin (Normalized Process Events)
 description: |
   'Identifies malware that has been hidden in the recycle bin.

Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml

@@ -1,4 +1,4 @@
-id: 0e429446-2798-49e4-924d-c37338f24e23
+id: 28233666-c235-4d55-b456-5cfdda29d62d
 name: Certutil (LOLBins and LOLScripts, Normalized Process Events)
 description: |
   'This detection uses Sysmon telemetry to hunt Certutil activities'

Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml

@@ -1,4 +1,4 @@
-id: 8afd1086-fc9a-4d26-b3ff-5c794c79a59a
+id: 9ccb1859-7a79-4a8a-a382-fa54d4dace47
 name: Exchange PowerShell Snapin Added (Normalized Process Events)
 description: |
   'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell.

Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml

@@ -1,4 +1,4 @@
-id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513
+id: 4500a2ff-455b-4ee7-a21d-5ac5c7c9ea87
 name: Host Exporting Mailbox and Removing Export (Normalized Process Events)
 description: |
   'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by

Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml

@@ -1,4 +1,4 @@
-id: a344e28e-095d-47fb-84a8-d06edd31d2cb
+id: a2b58512-1298-4a25-a4c7-88ddfed78b0d
 name: Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
 description: |
   'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.'

Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml

@@ -1,4 +1,4 @@
-id: 87c1f90a-f868-4528-a9c1-15520249cae6
+id: 3a8e307b-5037-4182-a4e2-e76d99cecab8
 name: Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
 description: |
   'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.

Hunting Queries/ASimProcess/imProcess_PowerCatDownload.yaml

@@ -1,4 +1,4 @@
-id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
+id: 4846436d-5183-4a33-a975-fc892ffea91d
 name: Powercat Download (Normalized Process Events)
 description: |
   'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.'

Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml

@@ -1,4 +1,4 @@
-id: 05208917-82de-46f7-a190-a65739a690f4
+id: 24e66452-2aaa-455f-b0c6-a0d8216bbe79
 name: Entropy for Processes for a given Host (Normalized Process Events)
 description: |
   'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time).

Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml

@@ -1,4 +1,4 @@
-id:  278592b5-612b-48a4-bb38-4c01ff8ee2a5
+id:  c3f1606e-48eb-464e-a60c-d53af5a5796e
 name: SolarWinds Inventory (Normalized Process Events)
 description: |
   'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations.  This is intended to help use process exection information to discovery any systems that have SolarWinds processes'

Hunting Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml

@@ -1,4 +1,4 @@
-id: dd6fb889-43ef-44e1-a01d-093ab4bb12b2
+id: 1eacb645-9354-49cd-8872-8d68a4fd3f59
 name: Suspicious enumeration using Adfind tool (Normalized Process Events)
 description: |
   Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system.

Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml

@@ -1,4 +1,4 @@
-id: 024b3726-add7-4e06-842d-932034ba21f7
+id: 614a59c5-2dae-4430-bb16-951a28a5f05f
 name: Windows System Shutdown/Reboot (Normalized Process Events)
 description: |
   'This detection uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529)'

Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml

@@ -1,4 +1,4 @@
-id: 36abe031-962d-482e-8e1e-a556ed99d5a3
+id: bd89c7a0-76cb-4fa1-bc64-c366687cda9e
 name: Cscript script daily summary breakdown (Normalized Process Events)
 description: |
   'breakdown of scripts running in the environment'

Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml

@@ -1,4 +1,4 @@
-id: a1e993de-770a-4434-83e9-9e3b47a6e470
+id: 7b3ed03a-7474-4dad-9c6a-92e7b69f6584
 name: Enumeration of users and groups (Normalized Process Events)
 description: |
   'Finds attempts to list users or groups using the built-in Windows 'net' tool '

Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml

@@ -1,4 +1,4 @@
-id: 5e76eaf9-79a7-448c-bace-28e5b53b8396
+id: 374a40ba-73fc-4d70-95ac-524b5765ffa2
 name: Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
 description: |
   'Summarizes uses of uncommon & undocumented commandline switches to create persistence

Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml

@@ -1,4 +1,4 @@
-id: d83f40fc-bbcc-4020-8d45-ad2d82355cb2
+id: 93a4ed6c-83e6-4202-8df4-e340dbd20a38
 name: PowerShell downloads (Normalized Process Events)
 description: |
   'Finds PowerShell execution events that could involve a download'

Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml

@@ -1,4 +1,4 @@
-id: 2ff4b10c-7056-4898-83fd-774104189fd5
+id: 4e3af8e3-a29f-4eec-ac25-55517dca6512
 name: Uncommon processes - bottom 5% (Normalized Process Events)
 description: |
   'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!)

Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml

@@ -1,4 +1,4 @@
-id: c2074fce-b5ba-4c0a-9332-d08b8fc43c53
+id: 365a889c-ae0f-461d-bdf1-d6ce11d0ef6f
 name: Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
 description: |
   'This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities'