Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix host with new logons query (#151) 

* Fix host with new logons query

* No need to commit DeployedQueries.json
This commit is contained in:
Igal 2019-05-01 10:47:39 +03:00 коммит произвёл GitHub
Родитель 44d5ca0170
Коммит f1b7e0a81c
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 4 добавлений и 185 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
.gitignore поставляемый
Просмотреть файл

@ -329,3 +329,6 @@ ASALocalRun/
# MFractors (Xamarin productivity tool) working folder
.mfractor/
**/.ipynb_checkpoints/**
# No need to store DeployedQueries.json - it is auto generated anyway
Hunting Queries/DeployedQueries.json

183
Hunting Queries/DeployedQueries.json
Просмотреть файл

@ -1,183 +0,0 @@
[
{
"id": "73ac88c0-f073-4b23-8ac4-9f40ea11308d",
"name": "Anomalous Azure Active Directory apps based on authentication location",
"description": "This query over Azure AD sign-in activity highlights Azure AD apps with an unusually high ratio of distinct geolocations versus total number of authentications",
"tactics": [
"InitialAccess"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let timeRange=ago(14d);\nlet azureSignIns = \nSigninLogs\n| where TimeGenerated \u003e= timeRange\n| where SourceSystem == \"Azure AD\"\n| where OperationName == \"Sign-in activity\"\n| project TimeGenerated, OperationName, AppDisplayName , Identity, UserId, UserPrincipalName, Location, LocationDetails , ClientAppUsed , DeviceDetail, ConditionalAccessPolicies;\nazureSignIns\n| extend locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"]))\n| summarize rawSigninCount=count(), countByAccount=dcount(UserId), locationCount=dcount(locationString) by AppDisplayName\n| where rawSigninCount \u003c 1000 // tail - pick a threshold to rule out the very-high volume Azure AD apps\n| where locationCount\u003ecountByAccount // more locations than accounts\n| where 1.0*rawSigninCount / locationCount \u003e 0.8 // almost as many / more locations than sign-ins!\n| order by rawSigninCount desc\n| join kind = leftouter (\n azureSignIns \n) on AppDisplayName \n| project AppDisplayName, TimeGenerated , Identity, rawSigninCount, countByAccount , locationCount, locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"]))\n| order by AppDisplayName, TimeGenerated desc"
},
{
"id": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad",
"name": "Base64 encoded Windows executables in process commandlines",
"description": "finds instances of base64 encoded PE files header seen in process command line parameter.",
"tactics": [
"InitialAccess",
"Execution",
"DefenseEvasion"
],
"createdTimeUtc": "2019-01-28T05:28:39-08:00",
"query": "let ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,\nFileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]),\nProcessCommandLine = CommandLine, \nFolderPath = \"\",\nInitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine=\"\",InitiatingProcessParentFileName=\"\";\nprocessEvents};\nProcessCreationEvents\n| where ProcessCommandLine contains \"TVqQAAMAAAAEAAA\"\n| where TimeGenerated \u003e= ago(24h)\n| top 1000 by TimeGenerated"
},
{
"id": "d6190dde-8fd2-456a-ac5b-0a32400b0464",
"name": "Process executed from binary hidden in Base64 encoded file. ",
"description": " Encoding malicious software is a technique to obfuscate files from detection. The first ProcessCommandLine component is looking for Python decoding base64 The second ProcesssCommandLine component is looking for the Bash/sh commandline base64 decoding tool The third one is looking for Ruby decoding base64",
"tactics": [
"InitialAccess",
"Execution",
"DefenseEvasion"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,AccountDomain=SubjectDomainName,\nFileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]), // convert SecurityEvents raw schema to get FileName \u0026 CommandLine \nProcessCommandLine = CommandLine, \nFolderPath = \"\",\nInitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine=\"\",InitiatingProcessParentFileName=\"\";\nprocessEvents ;\n};\nProcessCreationEvents \n| where TimeGenerated \u003e ago(1d) \n| where ProcessCommandLine contains \".decode(\u0027base64\u0027)\"\n or ProcessCommandLine contains \"base64 --decode\"\n or ProcessCommandLine contains \".decode64(\" \n| project TimeGenerated , ComputerName , FileName , ProcessCommandLine , InitiatingProcessCommandLine \n| top 100 by TimeGenerated"
},
{
"id": "a1e993de-770a-4434-83e9-9e3b47a6e470",
"name": "Enumeration of users and groups ",
"description": "finds attempts to list users or groups using the built-in Windows \u0027net\u0027 tool ",
"tactics": [
"Discovery"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,\nFileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]),\nProcessCommandLine = CommandLine, \nFolderPath = \"\",\nInitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine=\"\",InitiatingProcessParentFileName=\"\";\nprocessEvents};\nProcessCreationEvents\n| where FileName == \u0027net.exe\u0027 and AccountName != \"\" and ProcessCommandLine !contains \u0027\\\\\u0027 and ProcessCommandLine !contains \u0027/add\u0027 \n| where (ProcessCommandLine contains \u0027 user \u0027 or ProcessCommandLine contains \u0027 group \u0027) and (ProcessCommandLine endswith \u0027 /do\u0027 or ProcessCommandLine endswith \u0027 /domain\u0027) \n| extend Target = extract(\"(?i)[user|group] (\\\"*[a-zA-Z0-9-_ ]+\\\"*)\", 1, ProcessCommandLine) | filter Target != \u0027\u0027 \n| summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by AccountName, Target, ProcessCommandLine, ComputerName\n| project minTimeGenerated, maxTimeGenerated, count_, AccountName, Target, ProcessCommandLine, ComputerName\n| sort by AccountName, Target"
},
{
"id": "e7642e6e-cf27-46ec-a4b9-e4475228fead",
"name": "Summary of failed user logons by reason of failure",
"description": "A summary of failed logons can be used to infer lateral movement with the intention of discovering credentials and sensitive data",
"tactics": [
"InitialAccess",
"LateralMovement",
"Persistence"
],
"createdTimeUtc": "2019-04-03T12:57:12+03:00",
"query": "SecurityEvent|\nwhere AccountType == \u0027User\u0027 and EventID == 4625\n| extend Reason = case(\nSubStatus == \u00270xc000005e\u0027, \u0027No logon servers available to service the logon request\u0027,\nSubStatus == \u00270xc0000062\u0027, \u0027Account name is not properly formatted\u0027,\nSubStatus == \u00270xc0000064\u0027, \u0027Account name does not exist\u0027,\nSubStatus == \u00270xc000006a\u0027, \u0027Incorrect password\u0027, SubStatus == \u00270xc000006d\u0027, \u0027Bad user name or password\u0027,\nSubStatus == \u00270xc000006f\u0027, \u0027User logon blocked by account restriction\u0027,\nSubStatus == \u00270xc000006f\u0027, \u0027User logon outside of restricted logon hours\u0027,\nSubStatus == \u00270xc0000070\u0027, \u0027User logon blocked by workstation restriction\u0027,\nSubStatus == \u00270xc0000071\u0027, \u0027Password has expired\u0027,\nSubStatus == \u00270xc0000072\u0027, \u0027Account is disabled\u0027,\nSubStatus == \u00270xc0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\nSubStatus == \u00270xc000015b\u0027, \u0027The user has not been granted the requested logon right at this machine\u0027,\nSubStatus == \u00270xc0000193\u0027, \u0027Account has expirated\u0027,\nSubStatus == \u00270xc0000224\u0027, \u0027User is required to change password at next logon\u0027,\nSubStatus == \u00270xc0000234\u0027, \u0027Account is currently locked out\u0027,\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\n| summarize count() by Reason"
},
{
"id": "62e2df59-1535-4c8e-ac6c-c91faeed0179",
"name": "Hosts with new logons",
"description": "Shows new accounts that have logged onto a host for the first time - this may clearly be benign activity but an account logging onto multiple hosts for the first time can also be used to look for evidence of that account being used to move laterally across a network.",
"tactics": [
"LateralMovement"
],
"createdTimeUtc": "2019-04-03T12:57:12+03:00",
"query": "let LogonEvents=() { \nlet logonSuccess=SecurityEvent \n| where EventID==4624 \n| project TimeGenerated, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType=\u0027Logon\u0027;\nlet logonFail=SecurityEvent \n| where EventID==4625 \n| project TimeGenerated, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType=\u0027LogonFailure\u0027;\nlogonFail \n| union logonSuccess\n};\nLogonEvents \n| where TimeGenerated \u003e= ago(30d) \n| where ActionType == \u0027Logon\u0027 \n| summarize count() by ComputerName, AccountName \n| join kind=leftouter ( \nLogonEvents \n| where TimeGenerated \u003e= ago(1d) \n| where ActionType == \u0027Logon\u0027 \n| summarize count() by ComputerName, AccountName \n) on ComputerName \n| where AccountName != AccountName1 \n| summarize HostCount=dcount(ComputerName) by AccountName1 \n| extend Name = AccountName1 \n| project Name , HostCount\"\n}"
},
{
"id": "75bf9902-0789-47c1-a5d8-f57046aa72df",
"name": "Malware in the recycle bin.",
"description": "finding attackers hiding malware in the recycle bin. Read more here: https://azure.microsoft.com/en-us/blog/how-azure-security-center-helps-reveal-a-cyberattack/ ",
"tactics": [
"Execution",
"DefenseEvasion"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,\nFileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]),\nProcessCommandLine = CommandLine, \nInitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine=\"\",InitiatingProcessParentFileName=\"\";\nprocessEvents};\nProcessCreationEvents \n| where FileName in~(\u0027cmd.exe\u0027,\u0027ftp.exe\u0027,\u0027schtasks.exe\u0027,\u0027powershell.exe\u0027,\u0027rundll32.exe\u0027,\u0027regsvr32.exe\u0027,\u0027msiexec.exe\u0027)\n| where ProcessCommandLine contains \":\\\\recycler\"\n| project TimeGenerated, ComputerName, ProcessCommandLine, InitiatingProcessFileName"
},
{
"id": "60304ebf-ebdd-4869-a702-e0216d90ab46",
"name": "masquerading files.",
"description": "Malware writers often use windows system process names for their malicious process names to make them blend in with other legitimate commands that the Windows system executes. An analyst can create a simple query looking for a process named svchost.exe. It is recommended to filter out well-known security identifiers (SIDs) that are used to launch the legitimate svchost.exe process. The query also filters out the legitimate locations from which svchost.exe is launched.",
"tactics": [
"Execution",
"DefenseEvasion"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "SecurityEvent\n| where NewProcessName endswith \"\\\\svchost.exe\"\n| where SubjectUserSid !in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n| where NewProcessName !contains \":\\\\Windows\\\\System32\"\n| where NewProcessName !contains \":\\\\Windows\\\\Syswow64\"\n| summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by Computer, SubjectUserName, NewProcessName, CommandLine\n| project minTimeGenerated , maxTimeGenerated , count_ , Computer , SubjectUserName , NewProcessName , CommandLine \n "
},
{
"id": "41fa6e2d-afe9-4398-9356-cec3a927e44e",
"name": "Azure Active Directory signins from new locations.",
"description": "New Azure Active Directory signin locations today versus historical Azure Active Directory signin data In the case of password spraying or brute force attacks one might see authentication attempts for many accounts from a new location.",
"tactics": [
"InitialAccess"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "SigninLogs\n| where TimeGenerated \u003e= ago(1d)\n| summarize perIdentityAuthCount=count() by Identity, locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"]))\n| summarize distinctAccountCount = count(), identityList=makeset(Identity) by locationString\n| extend identityList = iff(distinctAccountCount\u003c10, identityList, \"multiple (\u003e10)\")\n| join kind= anti (\n SigninLogs\n | where TimeGenerated \u003c ago(1d)\n | project locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", \n tostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"]))\n | summarize priorCount = count() by locationString) on locationString\n| where distinctAccountCount \u003e 1 // select threshold above which #new accounts from a new location is deemed suspicious"
},
{
"id": "513e3a11-e1bb-4cfc-8af9-451da0407e6b",
"name": "New processes observed in last 24 hours",
"description": "These new processes could be benign new programs installed on hosts; however, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run. Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.",
"tactics": [
"Execution"
],
"createdTimeUtc": "2019-02-15T10:54:40-08:00",
"query": "let ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where TimeGenerated \u003e= ago(30d) \n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, @\u0027\u0027)[(-1)]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine=\u0027\u0027,InitiatingProcessParentFileName=\u0027\u0027;\nprocessEvents};\nProcessCreationEvents\n| where TimeGenerated \u003c ago(1d)\n| summarize HostCount=dcount(ComputerName) by tostring(FileName)\n| join kind=rightanti (\n ProcessCreationEvents\n | where TimeGenerated \u003e= ago(1d)\n | summarize HostCount=dcount(ComputerName) by tostring(FileName)\n) on FileName\n| project HostCount, FileName"
},
{
"id": "5e76eaf9-79a7-448c-bace-28e5b53b8396",
"name": "Summary of users created using uncommon \u0026 undocumented commandline switches",
"description": "Summarizes uses of uncommon \u0026 undocumented commandline switches to create persistence User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136 Query for users being created using \"net user\" command \"net user\" commands are noisy, so needs to be joined with another signal - e.g. in this example we look for some undocumented variations (e.g. /ad instead of /add)",
"tactics": [
"Persistence"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "SecurityEvent\n| where EventID==4688\n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, \n AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]), \n ProcessCommandLine = CommandLine, \n FolderPath = \"\", InitiatingProcessFileName=ParentProcessName,\n InitiatingProcessCommandLine=\"\",InitiatingProcessParentFileName=\"\"\n| where FileName in~ (\"net.exe\", \"net1.exe\")\n| parse kind=regex flags=iU ProcessCommandLine with * \"user \" CreatedUser \" \" * \"/ad\"\n| where not(FileName =~ \"net1.exe\" and InitiatingProcessFileName =~ \"net.exe\" and replace(\"net\", \"net1\", InitiatingProcessCommandLine) =~ ProcessCommandLine)\n| extend CreatedOnLocalMachine=(ProcessCommandLine !contains \"/do\")\n| where ProcessCommandLine contains \"/add\" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains \"/domain\")\n| summarize MachineCount=dcount(ComputerName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine"
},
{
"id": "d83f40fc-bbcc-4020-8d45-ad2d82355cb2",
"name": "powershell downloads",
"description": "Finds PowerShell execution events that could involve a download",
"tactics": [
"InitialAccess",
"Execution",
"Persistence"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,\n FileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]),\nProcessCommandLine = CommandLine, \nInitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine=\"\",InitiatingProcessParentFileName=\"\";\nprocessEvents};\nProcessCreationEvents\n| where FileName in~ (\"powershell.exe\", \"powershell_ise.exe\")\n| where ProcessCommandLine has \"Net.WebClient\"\n or ProcessCommandLine has \"DownloadFile\"\n or ProcessCommandLine has \"Invoke-WebRequest\"\n or ProcessCommandLine has \"Invoke-Shellcode\"\n or ProcessCommandLine contains \"http:\"\n| project TimeGenerated, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine\n| top 100 by TimeGenerated"
},
{
"id": "36abe031-962d-482e-8e1e-a556ed99d5a3",
"name": "Cscript script daily summary breakdown",
"description": " breakdown of scripts running in the environment",
"tactics": [
"Execution"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| project EventTime=TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,\nFileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]),\nProcessCommandLine = CommandLine, \nInitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine=\"\",InitiatingProcessParentFileName=\"\";\nprocessEvents;\n};\nProcessCreationEvents | where FileName =~ \"cscript.exe\"\n| project removeSwitches = replace(@\"/+[a-zA-Z0-9:]+\", \"\", ProcessCommandLine) // remove commandline switches\n| project CommandLine = trim(@\"[a-zA-Z0-9\\\\:\"\"]*cscript(.exe)?(\"\")?(\\s)+\", removeSwitches) // remove the leading cscript.exe process name \n| project ScriptName= iff(CommandLine startswith @\"\"\"\", \n extract(@\"([:\\\\a-zA-Z_\\-\\s0-9\\.()]+)(\"\"?)\", 0, CommandLine), // handle case where script name is enclosed in \" characters\n extract(@\"([:\\\\a-zA-Z_\\-0-9\\.()]+)(\"\"?)\", 0, CommandLine)) // handle case where script name is not enclosed in quotes \n , CommandLine \n| project ScriptName=trim(@\"\"\"\", ScriptName) , ScriptNameLength=strlen(ScriptName), CommandLine \n| project ScriptName, ScriptParams = iff(ScriptNameLength \u003c strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), \"\")\n| summarize by ScriptName, ScriptParams "
},
{
"id": "e8ae1375-4640-430c-ae8e-2514d09c71eb",
"name": "New user agents associated with a clientIP for sharepoint file uploads/downloads",
"description": "New user agents associated with a clientIP for sharepoint file uploads/downloads. ",
"tactics": [
"Exfiltration"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let historicalUA=\nOfficeActivity\n| where RecordType == \"SharePointFileOperation\"\n| where Operation in (\"FileDownloaded\", \"FileUploaded\")\n| where TimeGenerated between(ago(30d)..ago(7d))\n| summarize by ClientIP, UserAgent;\nlet recentUA = OfficeActivity\n| where RecordType == \"SharePointFileOperation\"\n| where Operation in (\"FileDownloaded\", \"FileUploaded\")\n| where TimeGenerated \u003e ago(1d) \n| summarize by ClientIP, UserAgent;\nrecentUA | join kind=leftanti (\n historicalUA \n) on ClientIP, UserAgent\n| where not(isempty(ClientIP)); "
},
{
"id": "2ff4b10c-7056-4898-83fd-774104189fd5",
"name": "uncommon processes - bottom 5%",
"description": "Identify and decode new encoded powershell scripts this week versus previous fortnight",
"tactics": [
"InitialAccess",
"Execution",
"Persistence",
"PrivilegeEscalation",
"CredentialAccess",
"Discovery",
"LateralMovement",
"Collection",
"Exfiltration",
"CommandandControl"
],
"createdTimeUtc": "2019-01-24T10:30:15+00:00",
"query": "let ProcessCreationEvents=() {\n let processEvents=SecurityEvent\n | where EventID==4688\n // filter out common randomly named files related to MSI installers and browsers\n | where not(NewProcessName matches regex @\"\\\\TRA[0-9A-Fa-f]{3}\\.tmp\")\n | where not(NewProcessName matches regex @\"\\\\TRA[0-9A-Fa-f]{4}\\.tmp\")\n | where not(NewProcessName matches regex @\"Installer\\\\MSI[0-9A-Fa-f]{3}\\.tmp\")\n | where not(NewProcessName matches regex @\"Installer\\\\MSI[0-9A-Fa-f]{4}\\.tmp\")\n | project TimeGenerated, \n ComputerName=Computer,\n AccountName=SubjectUserName, \n AccountDomain=SubjectDomainName,\n FileName=tostring(split(NewProcessName, \u0027\\\\\u0027)[-1]),\n ProcessCommandLine = CommandLine, \n InitiatingProcessFileName=ParentProcessName,\n InitiatingProcessCommandLine=\"\",\n InitiatingProcessParentFileName=\"\";\n processEvents;\n };\n let normalizedProcesses = ProcessCreationEvents \n // normalize guids\n | project TimeGenerated, FileName = replace(\"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}\", \"\u003cguid\u003e\", FileName)\n // normalize digits away\n | project TimeGenerated, FileName=replace(@\u0027\\d\u0027, \u0027n\u0027, FileName); \n let freqs = normalizedProcesses\n | summarize frequency=count() by FileName\n | join kind= leftouter (\n normalizedProcesses\n | summarize Since=min(TimeGenerated), LastSeen=max(TimeGenerated) by FileName\n ) on FileName;\n freqs \n | where frequency \u003c= toscalar( freqs | serialize | project frequency | summarize percentiles(frequency, 5))\n | order by frequency asc\n | project FileName, frequency, Since, LastSeen \n // restrict results to unusual processes seen in last day \n | where LastSeen \u003e= ago(1d)"
},
{
"id": "d0f13bb9-e713-4f89-b610-1806326a1dea",
"name": "Summary of user logons by logon type",
"description": "Comparing succesful and nonsuccessful logon attempts can be used to identify attempts to move laterally within the environment with the intention of discovering credentials and sensitive data.",
"tactics": [
"InitialAccess",
"LateralMovement",
"Persistence"
],
"createdTimeUtc": "2019-04-03T12:57:12+03:00",
"query": "SecurityEvent\n| where EventID in (4624, 4625)\n| where AccountType == \u0027User\u0027 \n| summarize Amount = count() by LogonTypeName"
}
]

3
Hunting Queries/SecurityEvent/HostsWithNewLogons.txt
Просмотреть файл

@ -28,5 +28,4 @@ LogonEvents
| where AccountName != AccountName1
| summarize HostCount=dcount(ComputerName) by AccountName1
| extend Name = AccountName1
| project Name , HostCount"
}
| project Name , HostCount