Update

2021-06-18 01:09:12 +03:00 · 2021-06-18 01:09:12 +03:00 · ba197ef2f3
--- a/Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml
+++ b/Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml
@ -1,5 +1,5 @@
 id: 8afd1086-fc9a-4d26-b3ff-5c794c79a59a
-name: Exchange PowerShell Snapin Added (Normalized Process Schema)
+name: Exchange PowerShell Snapin Added (Normalized Process Events)
 description: |
  'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell.
  Whilst this is a legitimate administrative tool it is abused by attackers to performs actions on a compromised
--- a/Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml
+++ b/Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml
@ -1,5 +1,5 @@
 id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513
-name: Host Exporting Mailbox and Removing Export (Normalized Process Schema)
+name: Host Exporting Mailbox and Removing Export (Normalized Process Events)
 description: |
  'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
  that same host removing the export within a short time window. This pattern has been observed by attackers 
--- a/Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml
+++ b/Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml
@ -1,5 +1,5 @@
 id: a344e28e-095d-47fb-84a8-d06edd31d2cb
-name: Invoke-PowerShellTcpOneLine Usage (Normalized Process Schema)
+name: Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
 description: |
  'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.'
 requiredDataConnectors: []
--- a/Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml
+++ b/Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml
@ -1,5 +1,5 @@
 id: 87c1f90a-f868-4528-a9c1-15520249cae6
-name: Nishang Reverse TCP Shell in Base64 (Normalized Process Schema)
+name: Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
 description: |
  'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
  Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
--- a/Queries/ASimProcess/imProcess_PowerCatDownload.yaml
+++ b/Queries/ASimProcess/imProcess_PowerCatDownload.yaml
@ -1,5 +1,5 @@
 id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
-name: Powercat Download (Normalized Process Schema)
+name: Powercat Download (Normalized Process Events)
 description: |
  'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.'
 requiredDataConnectors:
--- a/Queries/ASimProcess/imProcess_ProcessEntropy.yaml
+++ b/Queries/ASimProcess/imProcess_ProcessEntropy.yaml
@ -1,5 +1,5 @@
 id: 05208917-82de-46f7-a190-a65739a690f4
-name: Entropy for Processes for a given Host (Normalized Process Schema)
+name: Entropy for Processes for a given Host (Normalized Process Events)
 description: |
  'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time).
  This helps us identify rare processes on a given Host. Rare here means a process shows up on the Host relatively few times in the the last 7days.
--- a/Queries/ASimProcess/imProcess_SolarWindsInventory.yaml
+++ b/Queries/ASimProcess/imProcess_SolarWindsInventory.yaml
@ -1,5 +1,5 @@
 id:  278592b5-612b-48a4-bb38-4c01ff8ee2a5
-name: SolarWinds Inventory (Normalized Process Schema)
+name: SolarWinds Inventory (Normalized Process Events)
 description: |
  'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations.  This is intended to help use process exection information to discovery any systems that have SolarWinds processes'
 requiredDataConnectors: []
--- a/Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml
+++ b/Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml
@ -1,5 +1,5 @@
 id: dd6fb889-43ef-44e1-a01d-093ab4bb12b2
-name: Suspicious enumeration using Adfind tool (Normalized Process Schema)
+name: Suspicious enumeration using Adfind tool (Normalized Process Events)
 description: |
  Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system.
  Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers.
--- a/Queries/ASimProcess/imProcess_cscript_summary.yaml
+++ b/Queries/ASimProcess/imProcess_cscript_summary.yaml
@ -1,5 +1,5 @@
 id: 36abe031-962d-482e-8e1e-a556ed99d5a3
-name: Cscript script daily summary breakdown (Normalized Process Schema)
+name: Cscript script daily summary breakdown (Normalized Process Events)
 description: |
  'breakdown of scripts running in the environment'
 requiredDataConnectors: []
--- a/Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml
+++ b/Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml
@ -1,5 +1,5 @@
 id: a1e993de-770a-4434-83e9-9e3b47a6e470
-name: Enumeration of users and groups (Normalized Process Schema)
+name: Enumeration of users and groups (Normalized Process Events)
 description: |
  'Finds attempts to list users or groups using the built-in Windows 'net' tool '
 requiredDataConnectors: []
--- a/Queries/ASimProcess/imProcess_persistence_create_account.yaml
+++ b/Queries/ASimProcess/imProcess_persistence_create_account.yaml
@ -1,5 +1,5 @@
 id: 5e76eaf9-79a7-448c-bace-28e5b53b8396
-name: Summary of users created using uncommon/undocumented commandline switches (Normalized Process Schema)
+name: Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
 description: |
  'Summarizes uses of uncommon & undocumented commandline switches to create persistence
  User accounts may be created to achieve persistence on a machine.
--- a/Queries/ASimProcess/imProcess_powershell_downloads.yaml
+++ b/Queries/ASimProcess/imProcess_powershell_downloads.yaml
@ -1,5 +1,5 @@
 id: d83f40fc-bbcc-4020-8d45-ad2d82355cb2
-name: PowerShell downloads (Normalized Process Schema)
+name: PowerShell downloads (Normalized Process Events)
 description: |
  'Finds PowerShell execution events that could involve a download'
 requiredDataConnectors: []
--- a/Queries/ASimProcess/imProcess_uncommon_processes.yaml
+++ b/Queries/ASimProcess/imProcess_uncommon_processes.yaml
@ -1,5 +1,5 @@
 id: 2ff4b10c-7056-4898-83fd-774104189fd5
-name: Uncommon processes - bottom 5% (Normalized Process Schema)
+name: Uncommon processes - bottom 5% (Normalized Process Events)
 description: |
  'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!)
  These new processes could be benign new programs installed on hosts;