From b47029e6b9e2a1663cfdb1709e875327788d2605 Mon Sep 17 00:00:00 2001 From: Ofer Shezaf Date: Wed, 23 Jun 2021 15:23:59 +0300 Subject: [PATCH] Assign new GUIDs --- Detections/ASimProcess/imProcess_AdFind_Usage.yaml | 2 +- .../ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml | 2 +- .../ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml | 2 +- Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml | 2 +- Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml | 2 +- Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml | 2 +- .../ASimProcess/imProcess_ExchangePowerShellSnapin.yaml | 2 +- .../imProcess_HostExportingMailboxAndRemovingExport.yaml | 2 +- .../ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml | 2 +- .../ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml | 2 +- Hunting Queries/ASimProcess/imProcess_PowerCatDownload.yaml | 2 +- Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml | 2 +- Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml | 2 +- .../imProcess_Suspicious_enumeration_using_adfind.yaml | 2 +- .../imProcess_Windows System Shutdown-Reboot(T1529).yaml | 2 +- Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml | 2 +- .../ASimProcess/imProcess_enumeration_user_and_group.yaml | 2 +- .../ASimProcess/imProcess_persistence_create_account.yaml | 2 +- Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml | 2 +- Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml | 2 +- .../inProcess_SignedBinaryProxyExecutionRundll32.yaml | 2 +- 21 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Detections/ASimProcess/imProcess_AdFind_Usage.yaml b/Detections/ASimProcess/imProcess_AdFind_Usage.yaml index 6b815feb6b..251ad69385 100644 --- a/Detections/ASimProcess/imProcess_AdFind_Usage.yaml +++ b/Detections/ASimProcess/imProcess_AdFind_Usage.yaml @@ -1,4 +1,4 @@ -id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd +id: 45076281-35ae-45e0-b443-c32aa0baf965 name: Probable AdFind Recon Tool Usage (Normalized Process Events) description: | 'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.' diff --git a/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml b/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml index a87eed7d0e..e272ade5c8 100644 --- a/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml +++ b/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml @@ -1,4 +1,4 @@ -id: d82e1987-4356-4a7b-bc5e-064f29b143c0 +id: bdf04f58-242b-4729-b376-577c4bdf5d3a name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events) description: | 'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands diff --git a/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml b/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml index acad037760..3360901d75 100644 --- a/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml +++ b/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml @@ -1,4 +1,4 @@ -id: 4a3073ac-7383-48a9-90a8-eb6716183a54 +id: 631d02df-ab51-46c1-8d72-32d0cfec0720 name: SUNBURST suspicious SolarWinds child processes (Normalized Process Events) description: | Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor diff --git a/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml b/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml index f9e9a6414b..c78e8efe73 100644 --- a/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml +++ b/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml @@ -1,4 +1,4 @@ -id: ca67c83e-7fff-4127-a3e3-1af66d6d4cad +id: f8b3c49c-4087-499b-920f-0dcfaff0cbca name: Base64 encoded Windows process command-lines (Normalized Process Events) description: | 'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' diff --git a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml index 96f2ebb971..be1bb07937 100644 --- a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml +++ b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml @@ -1,4 +1,4 @@ -id: 75bf9902-0789-47c1-a5d8-f57046aa72df +id: 61988db3-0565-49b5-b8e3-747195baac6e name: Malware in the recycle bin (Normalized Process Events) description: | 'Identifies malware that has been hidden in the recycle bin. diff --git a/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml b/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml index e682156e3f..9ea1927ee6 100644 --- a/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml +++ b/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml @@ -1,4 +1,4 @@ -id: 0e429446-2798-49e4-924d-c37338f24e23 +id: 28233666-c235-4d55-b456-5cfdda29d62d name: Certutil (LOLBins and LOLScripts, Normalized Process Events) description: | 'This detection uses Sysmon telemetry to hunt Certutil activities' diff --git a/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml b/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml index 10c07d236d..dac6e11ae3 100644 --- a/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml +++ b/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml @@ -1,4 +1,4 @@ -id: 8afd1086-fc9a-4d26-b3ff-5c794c79a59a +id: 9ccb1859-7a79-4a8a-a382-fa54d4dace47 name: Exchange PowerShell Snapin Added (Normalized Process Events) description: | 'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. diff --git a/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml b/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml index 94082afba2..42b0c8c6fb 100644 --- a/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml +++ b/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml @@ -1,4 +1,4 @@ -id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513 +id: 4500a2ff-455b-4ee7-a21d-5ac5c7c9ea87 name: Host Exporting Mailbox and Removing Export (Normalized Process Events) description: | 'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by diff --git a/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml b/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml index 7c49465536..1cc7fd64cf 100644 --- a/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml +++ b/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml @@ -1,4 +1,4 @@ -id: a344e28e-095d-47fb-84a8-d06edd31d2cb +id: a2b58512-1298-4a25-a4c7-88ddfed78b0d name: Invoke-PowerShellTcpOneLine Usage (Normalized Process Events) description: | 'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.' diff --git a/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml b/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml index 7527f5f5ec..d8bb48c4c5 100644 --- a/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml +++ b/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml @@ -1,4 +1,4 @@ -id: 87c1f90a-f868-4528-a9c1-15520249cae6 +id: 3a8e307b-5037-4182-a4e2-e76d99cecab8 name: Nishang Reverse TCP Shell in Base64 (Normalized Process Events) description: | 'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell. diff --git a/Hunting Queries/ASimProcess/imProcess_PowerCatDownload.yaml b/Hunting Queries/ASimProcess/imProcess_PowerCatDownload.yaml index 8719b190b1..3bae82ecd9 100644 --- a/Hunting Queries/ASimProcess/imProcess_PowerCatDownload.yaml +++ b/Hunting Queries/ASimProcess/imProcess_PowerCatDownload.yaml @@ -1,4 +1,4 @@ -id: 58fe8fc8-54fa-48cd-bac3-197f8d862429 +id: 4846436d-5183-4a33-a975-fc892ffea91d name: Powercat Download (Normalized Process Events) description: | 'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.' diff --git a/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml b/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml index fcb5541976..46358cc04c 100644 --- a/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml +++ b/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml @@ -1,4 +1,4 @@ -id: 05208917-82de-46f7-a190-a65739a690f4 +id: 24e66452-2aaa-455f-b0c6-a0d8216bbe79 name: Entropy for Processes for a given Host (Normalized Process Events) description: | 'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time). diff --git a/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml b/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml index 47e5603a5e..106ac6125a 100644 --- a/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml +++ b/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml @@ -1,4 +1,4 @@ -id: 278592b5-612b-48a4-bb38-4c01ff8ee2a5 +id: c3f1606e-48eb-464e-a60c-d53af5a5796e name: SolarWinds Inventory (Normalized Process Events) description: | 'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' diff --git a/Hunting Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml b/Hunting Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml index 3a6b9f1f13..3544e2d4e3 100644 --- a/Hunting Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml +++ b/Hunting Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml @@ -1,4 +1,4 @@ -id: dd6fb889-43ef-44e1-a01d-093ab4bb12b2 +id: 1eacb645-9354-49cd-8872-8d68a4fd3f59 name: Suspicious enumeration using Adfind tool (Normalized Process Events) description: | Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. diff --git a/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml b/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml index 314b64cdaf..7b3c574fee 100644 --- a/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml +++ b/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml @@ -1,4 +1,4 @@ -id: 024b3726-add7-4e06-842d-932034ba21f7 +id: 614a59c5-2dae-4430-bb16-951a28a5f05f name: Windows System Shutdown/Reboot (Normalized Process Events) description: | 'This detection uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529)' diff --git a/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml b/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml index c96251adac..42077d15bb 100644 --- a/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml +++ b/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml @@ -1,4 +1,4 @@ -id: 36abe031-962d-482e-8e1e-a556ed99d5a3 +id: bd89c7a0-76cb-4fa1-bc64-c366687cda9e name: Cscript script daily summary breakdown (Normalized Process Events) description: | 'breakdown of scripts running in the environment' diff --git a/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml b/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml index 229aaa23d5..c6a585768b 100644 --- a/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml +++ b/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml @@ -1,4 +1,4 @@ -id: a1e993de-770a-4434-83e9-9e3b47a6e470 +id: 7b3ed03a-7474-4dad-9c6a-92e7b69f6584 name: Enumeration of users and groups (Normalized Process Events) description: | 'Finds attempts to list users or groups using the built-in Windows 'net' tool ' diff --git a/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml b/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml index b0a3f050b1..399b7a1d02 100644 --- a/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml +++ b/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml @@ -1,4 +1,4 @@ -id: 5e76eaf9-79a7-448c-bace-28e5b53b8396 +id: 374a40ba-73fc-4d70-95ac-524b5765ffa2 name: Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events) description: | 'Summarizes uses of uncommon & undocumented commandline switches to create persistence diff --git a/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml b/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml index acff56644a..97e94f87dd 100644 --- a/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml +++ b/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml @@ -1,4 +1,4 @@ -id: d83f40fc-bbcc-4020-8d45-ad2d82355cb2 +id: 93a4ed6c-83e6-4202-8df4-e340dbd20a38 name: PowerShell downloads (Normalized Process Events) description: | 'Finds PowerShell execution events that could involve a download' diff --git a/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml b/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml index 6b1b909f3c..4028ed2581 100644 --- a/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml +++ b/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml @@ -1,4 +1,4 @@ -id: 2ff4b10c-7056-4898-83fd-774104189fd5 +id: 4e3af8e3-a29f-4eec-ac25-55517dca6512 name: Uncommon processes - bottom 5% (Normalized Process Events) description: | 'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!) diff --git a/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml b/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml index ca47374bd4..161d57fe14 100644 --- a/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml +++ b/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml @@ -1,4 +1,4 @@ -id: c2074fce-b5ba-4c0a-9332-d08b8fc43c53 +id: 365a889c-ae0f-461d-bdf1-d6ce11d0ef6f name: Rundll32 (LOLBins and LOLScripts, Normalized Process Events) description: | 'This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities'