changes and fixes

Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml

@@ -4,7 +4,8 @@ description: |
   'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. 
   In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, 
   IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. 
-  Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , https://msrc.microsoft.com/update-guide/vulnerability/ADV220001'
+  Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , 
+  https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972'
 severity: High
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
@@ -21,7 +22,7 @@ relevantTechniques:
 tags:
   - CVE-2022-29972
 query: |
-  let mde_threats = dynamic(["Behavior:Win32/SuspAzureRequest.A", "Behavior:Win32/SuspAzureRequest.B", "Behavior:Win32/SuspAzureRequest.B", "Behavior:Win32/LaunchingSuspCMD.B"]);
+  let mde_threats = dynamic(["Behavior:Win32/SuspAzureRequest.A", "Behavior:Win32/SuspAzureRequest.B", "Behavior:Win32/SuspAzureRequest.C", "Behavior:Win32/LaunchingSuspCMD.B"]);
   DeviceInfo
   | extend DeviceName = tolower(DeviceName)
   | join kind=inner ( SecurityAlert
@@ -41,5 +42,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: PublicIP
-version: 1.0.0
+version: 1.0.1
 kind: scheduled

Hunting Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml

@@ -2,7 +2,8 @@ id: 2d1a3e86-f1a0-49d0-b88a-55789e1d6660
 name: Possible command injection attempts against Azure Integration Runtimes
 description: |
   'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity
-  Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , https://msrc.microsoft.com/update-guide/vulnerability/ADV220001'
+  Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 
+   https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972'
 requiredDataConnectors:
   - connectorId: MicrosoftDefenderAdvancedThreatProtection
     dataTypes:
@@ -24,13 +25,12 @@ query: |
   let parent_proc_list = dynamic(["diawp.exe", "ReportingServicesService.exe", "RSPortal.exe", "RsPowerBI.exe", "taskexecutor.exe"]);
   let cmdline_tokens = dynamic(["| curl ", "/c start ", " whoami 2>&1", "-m 5 ", "--data-binary"]);
   (union isfuzzy=true
-  (DeviceProcessEvents  
-  | where CreatedProcessName =~ "cmd.exe"
-  | where InitiatingProcessName in~ ("ReportingServicesService.exe", "RSPortal.exe", "RsPowerBI.exe", "diawp.exe")
-  | where CreatedProcessCommandLine has_any ("| curl ", "/c start ", " whoami 2>&1", "-m 5 ", "--data-binary")
+  ( DeviceProcessEvents  
+  | where FileName =~ "cmd.exe"
+  | where InitiatingProcessFileName in~ (parent_proc_list)
   | where ProcessCommandLine has_any (cmdline_tokens)
-  | project-reorder  TimeGenerated, DeviceName, DeviceId, ProcessCommandLine, AccountName
-  | extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName,  ProcessCustomEntity = InitiatingProcessFileName
+  | project-reorder  TimeGenerated, DeviceName, DeviceId, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
+  | extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName,  ProcessCustomEntity = FileName
   ),
   (imProcessCreate
   | where ParentProcessName endswith "diawp.exe" or ParentProcessName endswith "ReportingServicesService.exe" or ParentProcessName endswith "RSPortal.exe" or ParentProcessName endswith "RsPowerBI.exe" or ParentProcessName endswith "taskexecutor.exe"
@@ -41,20 +41,20 @@ query: |
   (SecurityEvent
   | where EventID == '4688'
   | where Process == "cmd.exe" and isnotempty(ParentProcessName)
-  | where ParentProcessName endswith "diawp.exe" or ParentProcessName endswith "ReportingServicesService.exe" or ParentProcessName endswith "RSPortal.exe" or ParentProcessName endswith "RsPowerBI.exe" or ParentProcessName endswith "taskexecutor.exe"
-  | where (CommandLine has_any (cmdline_tokens)) 
+  | extend ParentProcess = tostring(parse_json(parse_path(ParentProcessName)).Filename)
+  | where ParentProcess in~ (parent_proc_list)  and (CommandLine has_any (cmdline_tokens)) 
   | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine
   | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
   ),
   (WindowsEvent
   | where EventID == '4688' and (EventData has_any (cmdline_tokens) or EventData has_all (parent_proc_list))
   | extend CommandLine = tostring(EventData.CommandLine) 
-  | where (CommandLine has_any (cmdline_tokens))
   | extend NewProcessName = tostring(EventData.NewProcessName)
   | extend ParentProcessName = tostring(EventData.ParentProcessName)
+  | where NewProcessName =~ "cmd.exe" and ParentProcessName in~ (parent_proc_list)
+  | where (CommandLine has_any (cmdline_tokens))
   | extend Account =  strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
   | extend NewProcessId = tostring(EventData.NewProcessId)
-  | where NewProcessName =~ "cmd.exe" and ParentProcessName in~ (parent_proc_list)
   | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine
   | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
   )