adfind huting query
This commit is contained in:
Ashwin Patil
Родитель
1c9acc4979
Коммит
fd821d64a1
|
|
@ -0,0 +1,38 @@
|
|||
id: dd6fb889-43ef-44e1-a01d-093ab4bb12b2
|
||||
name: Suspicious enumeration using Adfind tool
|
||||
description: |
|
||||
Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system.
|
||||
Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers.
|
||||
Below references talk about suspicious use of adfind by adversaries.
|
||||
- https://thedfirreport.com/2020/05/08/adfind-recon/
|
||||
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
|
||||
- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
|
||||
requiredDataConnectors:
|
||||
- connectorId: SecurityEvents
|
||||
dataTypes:
|
||||
- SecurityEvent
|
||||
tactics:
|
||||
- Execution
|
||||
- Discovery
|
||||
- Collection
|
||||
relevantTechniques:
|
||||
- T1059
|
||||
- T1087
|
||||
- T1482
|
||||
- T1201
|
||||
- T1069
|
||||
- T1074
|
||||
query: |
|
||||
let stardate = 14d;
|
||||
let lookupwindow = 2m;
|
||||
let threshold = 3;
|
||||
let tokens = dynamic(["-b","-f","-h","gcb","-sc","-subnets","objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd"]);
|
||||
SecurityEvent
|
||||
//| where Computer in (DCADFSServersList) // limit it to your DC/ADFS servers list or any pattern in hostnames.
|
||||
| where TimeGenerated between (ago(stardate)..now())
|
||||
| where EventID == "4688"
|
||||
| where tolower(CommandLine) has_any (tokens)
|
||||
| where CommandLine matches regex "(.*)>(.*)"
|
||||
| summarize Commadlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName
|
||||
| extend Count= array_length(Commadlines)
|
||||
| where Count > threshold
|
||||
Загрузка…
Ссылка в новой задаче