Merge pull request #4361 from Azure/ImpacketQuery

Adding detection for Impacket tool and modification to the Actinium q…
2022-03-10 16:02:33 -08:00 · 2022-03-10 16:02:33 -08:00 · f757310688
--- a/Detections/MultipleDataSources/ActiniumFeb2022.yaml
+++ b/Detections/MultipleDataSources/ActiniumFeb2022.yaml
@ -56,7 +56,8 @@ query:  |
  let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
  (union isfuzzy=true
  (DeviceProcessEvents
-  | where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or  (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ProcessCommandLine has ('/tr "wscript.exe') and ProcessCommandLine has ('"%PUBLIC%\\Pictures\\') and ProcessCommandLine has ('//e:VBScript //b" /F')) or (ProcessCommandLine has ('wscript.exe C:\\Users\\') and ProcessCommandLine has ('.wav') and  ProcessCommandLine has ('//e:VBScript //b'))
+  | where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or  (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ProcessCommandLine has ('/tr "wscript.exe') and ProcessCommandLine has ('"%PUBLIC%\\Pictures\\') and ProcessCommandLine has ('//e:VBScript //b" /F')) or (ProcessCommandLine has ('wscript.exe C:\\Users\\') and ProcessCommandLine has ('.wav') and  ProcessCommandLine has ('//e:VBScript //b') 
+  or (ProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
  | project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName,  InitiatingProcessSHA256, Type, AccountName, SHA256, FileName
  | extend Account = AccountName, Computer = DeviceName,  FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), "InitiatingProcessSHA256", SHA256 in (sha256Hashes), "SHA256", "No Match")
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == "InitiatingProcessSHA256", InitiatingProcessSHA256, FileHash == "SHA256", SHA256, "No Match")
@ -73,7 +74,8 @@ query:  |
  | extend timestamp = TimeGenerated, FileHashCustomEntity = 'SHA256', Account = SourceUserID
  ),
  ( imFileEvent
-  | where Hash in~ (sha256Hashes) or  (ActingProcessCommandLine  has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ActingProcessCommandLine  has ('/tr "wscript.exe') and ActingProcessCommandLine  has ('"%PUBLIC%\\Pictures\\') and ActingProcessCommandLine  has ('//e:VBScript //b" /F')) or (ActingProcessCommandLine  has ('wscript.exe C:\\Users\\') and ActingProcessCommandLine  has ('.wav') and  ActingProcessCommandLine  has ('//e:VBScript //b'))
+  | where Hash in~ (sha256Hashes) or  (ActingProcessCommandLine  has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ActingProcessCommandLine  has ('/tr "wscript.exe') and ActingProcessCommandLine  has ('"%PUBLIC%\\Pictures\\') and ActingProcessCommandLine  has ('//e:VBScript //b" /F')) or (ActingProcessCommandLine  has ('wscript.exe C:\\Users\\') and ActingProcessCommandLine  has ('.wav') and  ActingProcessCommandLine  has ('//e:VBScript //b') 
+   or (ActingProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
  | extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash
  | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
@ -86,7 +88,7 @@ query:  |
  | extend Image = EventDetail.[4].["#text"],  CommandLine = EventDetail.[10].["#text"], Hashes = tostring(EventDetail.[17].["#text"])
  | extend Hashes = extract_all(@"(?P<key>\w+)=(?P<value>[a-zA-Z0-9]+)", dynamic(["key","value"]), Hashes)
  | extend Hashes = column_ifexists("Hashes", ""), CommandLine = column_ifexists("CommandLine", "")
-  | where (Hashes has_any (sha256Hashes) ) or (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr "wscript.exe') and CommandLine has ('"%PUBLIC%\\Pictures\\') and CommandLine has ('//e:VBScript //b" /F')) or (CommandLine has ('wscript.exe C:\\Users\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b'))
+  | where (Hashes has_any (sha256Hashes) ) or (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr "wscript.exe') and CommandLine has ('"%PUBLIC%\\Pictures\\') and CommandLine has ('//e:VBScript //b" /F')) or (CommandLine has ('wscript.exe C:\\Users\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b') or (CommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
  | project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image
  | extend Type = strcat(Type, ": ", Source)
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes
@ -142,5 +144,5 @@ entityMappings:
    fieldMappings:
      - identifier: ProcessId
        columnName: ProcessCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml
+++ b/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml
@ -21,7 +21,7 @@ query: |
  // Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)
  // You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519
  let azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)
-  ["https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220228.json"]
+  ["https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220307.json"]
  with(format='multijson')
  | mv-expand values
  | mv-expand values.properties.addressPrefixes
@ -47,5 +47,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.7
+version: 1.0.8
 kind: Scheduled
--- a/Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml
+++ b/Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml
@ -16,7 +16,7 @@ relevantTechniques:
  - T1078.004
 query: |
  let azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)
-  ["https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220131.json"]
+  ["https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220307.json"]
  with(format='multijson')
  | mv-expand values
  // Limit to virtual desktop IP ranges, uncomment to see all Azure ranges
--- a/Queries/SecurityEvent/PotentialImpacketExecution.yaml
+++ b/Queries/SecurityEvent/PotentialImpacketExecution.yaml
@ -0,0 +1,42 @@
+id: 24ae555c-5e33-4b5d-827a-44206e39f6b4
+name: Potential Impacket Execution
+description: |
+  'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.
+   Refrence: https://twitter.com/SBousseaden/status/1286750095296335883'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1003
+query: |
+  (union isfuzzy=true
+  (SecurityEvent
+  | where EventID == '5145'
+  | where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @".tmp"
+  | where ShareName has "\\\\*\\ADMIN$"
+  ),
+  (WindowsEvent
+  | where EventID == '5145' 
+  | extend RelativeTargetName= tostring(EventData.RelativeTargetName)
+  | extend ShareName= tostring(EventData.ShareName)
+  | where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @".tmp"
+  | where ShareName has "\\\\*\\ADMIN$"
+  | extend Account =  strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
+  )
+  )
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity