Merge pull request #1991 from thmcelro/Tom-Exchange-Queries

Tom exchange queries
2021-03-25 09:53:43 -07:00 · 2021-03-25 09:53:43 -07:00 · f1f7773c90
--- a/Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml
+++ b/Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml
@ -0,0 +1,37 @@
+id: 43701f18-c903-489e-8cc9-a2e85dc3ad23
+name: Exchange Servers and Associated Security Alerts
+description: |
+  'This query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query
+  will then collect MDE alerts from the SecurityAlert table using the identified Exchange Server hostnames.'
+requiredDataConnectors:
+  - connectorId: AzureMonitor(IIS)
+    dataTypes:
+      - W3CIISLog
+  - connectorId: MicrosoftDefenderAdvancedThreatProtection
+    dataTypes:
+      - SecurityAlert (MDATP)
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+tags:
+  - Exchange
+query: |
+
+  W3CIISLog
+  | where csUriStem has_any("/owa/auth/", "/ecp/healthcheck.htm", "/ews/exchange.asmx")
+  | summarize by computer=tolower(Computer)
+  | join kind=leftouter (
+    SecurityAlert
+    | extend alertData = parse_json(Entities)
+    | mvexpand alertData
+    | where alertData.Type == "host"
+    | extend computer = iff(isnotempty(alertData.DnsDomain), tolower(strcat(tostring(alertData.HostName), "." , tostring(alertData.DnsDomain))),tolower(tostring(alertData.HostName)))
+    | summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer
+  ) on computer
+  | project ExchangeServer=computer, Alerts, AlertTimes, AlertNames
+entityMappings:
+- entityType: Host
+  fieldMappings:
+    - identifier: HostName
+      columnName: ExchangeServer
--- a/Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml
+++ b/Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml
@ -0,0 +1,30 @@
+id: 43701f18-c903-489e-8cc9-a2e85dc3ad23
+name: Exchange Server ProxyLogon URIs
+description: |
+  'This query will detect paths suspicious associated with ProxyLogon exploitation'
+requiredDataConnectors:
+  - connectorId: AzureMonitor(IIS)
+    dataTypes:
+      - W3CIISLog
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+tags:
+  - Exchange
+query: |
+
+  W3CIISLog
+  | where TimeGenerated > ago(3d)
+  | where not(ipv4_is_private(cIP))
+  | where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)")
+  | project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent
+entityMappings:
+- entityType: NetworkConnection
+  fieldMappings:
+    - identifier: DestinationAddress
+      columnName: sIP
+    - identifier: DestinationPort
+      columnName: sPort
+    - identifier: SourceAddress
+      columnName: cIP
--- a/Queries/W3CIISLog/ExchangeServerSuspiciousURIsVisited.yaml
+++ b/Queries/W3CIISLog/ExchangeServerSuspiciousURIsVisited.yaml
@ -0,0 +1,47 @@
+id: 43701f18-c903-489e-8cc9-a2e85dc3ad23
+name: Exchange Server Suspicious URIs Visited
+description: |
+  'This query will detect paths suspicious associated with ProxyLogon exploitation, it will then calculate the percentage of suspicious URIs
+  the user had visited in relation to the total number of URIs the user has visited. This query will assist in the detection of automated
+  ProxyLogon exploitation.'
+requiredDataConnectors:
+  - connectorId: AzureMonitor(IIS)
+    dataTypes:
+      - W3CIISLog
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+tags:
+  - Exchange
+query: |
+
+  let timeRange = 7d;
+  //Calculate number of suspicious URI stems visited by user
+  W3CIISLog
+  | where TimeGenerated > ago(timeRange) 
+  | where not(ipv4_is_private(cIP))
+  | where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)") or (csUriStem =~ "/ews/exchange.asmx")
+  | extend userHash = hash_md5(strcat(cIP, csUserAgent))
+  | summarize susCount=dcount(csUriStem), make_list(csUriStem), min(TimeGenerated), max(TimeGenerated) by userHash, cIP, csUserAgent
+  | join kind=leftouter  (
+    //Calculate unique URI stems visited by each user
+    W3CIISLog
+    | where TimeGenerated > ago(timeRange)
+    | where not(ipv4_is_private(cIP))
+    | extend userHash = hash_md5(strcat(cIP, csUserAgent))
+    | summarize allCount=dcount(csUriStem) by userHash
+  ) on userHash
+  //Find instances where only a common endpoint was seen
+  | extend containsDefault = iff(list_csUriStem contains "/ews/exchange.asmx", 1, 0)
+  //If we only see the common endpoint and nothing else dump it
+  | extend result = iff(containsDefault == 1, containsDefault+susCount, 0)
+  | where result != 2
+  | extend susPercentage = susCount / allCount * 100
+  | where susPercentage > 90
+  | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, AttackerIP=cIP, AttackerUA=csUserAgent, URIsVisited=list_csUriStem, suspiciousPercentage=susPercentage, allUriCount=allCount, suspiciousUriCount=susCount
+entityMappings:
+- entityType: NetworkConnection
+  fieldMappings:
+    - identifier: SourceAddress
+      columnName: AttackerIP