more changes based on timb
This commit is contained in:
Zhipeng Zhao
Родитель
32363e236b
Коммит
d104b28411
|
|
@ -3,5 +3,5 @@
|
|||
"name": "Uncommon processes/files - bottom 5%",
|
||||
"description": "Shows the rarest processes seen running for the first time. These new processes could be benign new programs installed on hosts; however, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run. Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.",
|
||||
"techniques": [ "Execution", "InitialAccess", "Persistence", "PrivilegeEscalation", "CredentialAccess", "Discovery", "LateralMovement", "Collection", "Exfiltration", "CommandAndControl" ],
|
||||
"query": "let ProcessCreationEvents=() {\n let processEvents=SecurityEvent\n | where EventID==4688\n // filter out common randomly named files related to MSI installers and browsers\n | where not(NewProcessName matches regex @\"Temp\\\\[0-9]{1}\\\\TRA[0-9A-Fa-f]{3}.tmp\")\n | where not(NewProcessName matches regex @\"Temp\\\\[0-9]{1}\\\\TRA[0-9A-Fa-f]{4}.tmp\")\n | where not(NewProcessName matches regex @\"Installer\\\\MSI[0-9A-Fa-f]{3}.tmp\")\n | where not(NewProcessName matches regex @\"Installer\\\\MSI[0-9A-Fa-f]{4}.tmp\")\n | project TimeGenerated, ComputerName=Computer, AccountName=SubjectUserName, AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, '\\\\')[-1]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName;\n processEvents;\n };\n let normalizedProcesses = ProcessCreationEvents \n | project TimeGenerated, FileName = replace(\"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}\", \"<guid>\", FileName) // normalize guids\n | project TimeGenerated, FileName=replace(@'\\d', 'n', FileName); // normalize digits away\n let freqs = normalizedProcesses\n | summarize frequency=count() by FileName\n | join kind= leftouter (\n normalizedProcesses\n | summarize Since=min(TimeGenerated), LastSeen=max(TimeGenerated) by FileName\n ) on FileName;\n freqs \n | where frequency <= toscalar( freqs | serialize | project frequency | summarize percentiles(frequency, 5))\n | order by frequency asc\n | project FileName, frequency, Since, LastSeen \n // restrict results to unusual processes seen in last day \n | where LastSeen >= ago(1d) \n | extend Timestamp = Since"
|
||||
}
|
||||
"query": "let ProcessCreationEvents=() {\n let processEvents=SecurityEvent\n | where EventID==4688\n | where not(NewProcessName matches regex @\"Temp\\\\[0-9]{1}\\\\TRA[0-9A-Fa-f]{3}\\.tmp\")\n | where not(NewProcessName matches regex @\"Temp\\\\[0-9]{1}\\\\TRA[0-9A-Fa-f]{4}\\.tmp\")\n | where not(NewProcessName matches regex @\"Installer\\\\MSI[0-9A-Fa-f]{3}\\.tmp\") \n | where not(NewProcessName matches regex @\"Installer\\\\MSI[0-9A-Fa-f]{4}\\.tmp\")\n | project TimeGenerated, ComputerName=Computer, AccountName=SubjectUserName, AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, '\\\\')[-1]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName;\n processEvents\n };\n let normalizedProcesses = ProcessCreationEvents \n | project TimeGenerated, FileName = replace(\"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}\", \"<guid>\", FileName)\n | project TimeGenerated, FileName=replace(@'\\d', 'n', FileName);\n let freqs = normalizedProcesses\n | summarize frequency=count() by FileName\n | join kind= leftouter (\n normalizedProcesses\n | summarize Since=min(TimeGenerated), LastSeen=max(TimeGenerated) by FileName\n ) on FileName;\n freqs \n | where frequency <= toscalar( freqs | serialize | project frequency | summarize percentiles(frequency, 5))\n | order by frequency asc\n | project FileName, frequency, Since, LastSeen \n | where LastSeen >= ago(1d)\n | extend Timestamp = Since"
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче