Roberto Rodriguez
34af7566cc
added version, severity and requiredDataConnectors
2021-07-08 23:06:49 -04:00
Roberto Rodriguez
7a1e50daeb
moved ADFSDBLocalSqlStatements detection rule to hunting query
2021-07-08 20:21:32 -04:00
Pete Bryan
1a5cbe3d20
Removed errant (
2021-06-24 08:25:25 -07:00
Pete Bryan
3ae5e01c88
Updated lsass dump hunt query
2021-06-24 07:57:20 -07:00
Shain
00086a75b4
Merge pull request #2134 from chihebchebbi/master
...
Create SignedBinaryProxyExecutionRundll32.yaml
2021-06-13 09:12:15 -07:00
Chiheb Chebbi
82576ec2ac
Update SignedBinaryProxyExecutionRundll32.yaml
2021-05-19 08:18:25 +01:00
Chiheb Chebbi
cec7f2fdc8
Update SignedBinaryProxyExecutionRundll32.yaml
2021-05-18 05:28:37 +01:00
Chiheb Chebbi
63a1382475
Update SignedBinaryProxyExecutionRundll32.yaml
2021-05-03 18:43:13 +01:00
Shain
158019e9f6
Merge pull request #2195 from Azure/pebryan/2021-4-8_HuntingTimeFrameFix
...
Pebryan/2021 4 8 hunting time frame fix
2021-05-03 07:21:35 -07:00
Ashwin Patil
cbb6dbc081
fix for syntax error
2021-04-20 01:32:58 -07:00
Pete Bryan
a10c26d96c
Hunting Query TimeFrame Updates
2021-04-15 17:52:25 -07:00
Chiheb Chebbi
0f80dcb6c0
Create SignedBinaryProxyExecutionRundll32.yaml
2021-04-12 10:09:50 +01:00
Shain
70c96f1ae5
Merge pull request #1975 from chihebchebbi/master
...
Create Certutil-LOLBins.yaml
2021-04-07 17:59:11 -07:00
Chiheb Chebbi
b3737fe48e
Update Certutil-LOLBins.yaml
2021-03-29 22:23:32 +01:00
Chiheb Chebbi
32683ac9bc
Create Certutil-LOLBins.yaml
2021-03-18 12:39:52 +01:00
Shain
90dd26f479
Merge pull request #1881 from Azure/pebryan/2021-3-5_HAFNIUM2
...
MTPQueries&IOCPlaceholder
2021-03-05 15:50:58 -08:00
Pete Bryan
d33fe20fcf
formatting
2021-03-05 15:34:10 -08:00
Pete Bryan
ab5b9808d3
MTPQueries&IOCPlaceholder
2021-03-05 15:00:41 -08:00
Pete Bryan
f76588b34f
Merge pull request #1865 from Azure/pebryan/2021-3-3_W3WPHunting
...
w3wp hunting query
2021-03-04 16:25:25 -08:00
Shain Wray (MSTIC)
a7194fafad
capitalize for consistency
2021-03-04 10:54:36 -08:00
Shain Wray (MSTIC)
9c4c4d4566
adding updated tag
2021-03-04 10:49:23 -08:00
Pete Bryan
c31d1cdd79
removed unecessary extend
2021-03-03 15:57:36 -08:00
Pete Bryan
6f267e49f8
w3wp hunting query
2021-03-03 15:50:09 -08:00
duzvik
bd8a8484ec
Update ExchangePowerShellSnapin.yaml
...
Fix correct name of pssnapin module
2021-03-03 13:40:12 +02:00
Shain
3bb69d3b51
Merge pull request #1691 from chihebchebbi/master
...
Create Windows System Shutdown-Reboot(T1529)
2021-03-02 21:41:13 -08:00
Shain
7eda7debcb
Update Windows System Shutdown-Reboot(T1529)
...
Moving timeframe and event id match higher up for better matching performance
2021-03-02 21:39:12 -08:00
Pete Bryan
fe18733f55
HAFNIUM Queries
2021-03-02 13:09:15 -08:00
Chiheb Chebbi
c06df21d65
Update Windows System Shutdown-Reboot(T1529)
2021-03-02 11:49:36 +01:00
Chiheb Chebbi
9d6913220e
Update Windows System Shutdown-Reboot(T1529)
2021-02-19 10:30:03 +01:00
Chiheb Chebbi
83e39b8a99
Update Windows System Shutdown-Reboot(T1529)
2021-02-04 10:16:28 +01:00
Shain Wray (MSTIC)
e56e19d4bf
Removing unicod chars
2021-01-31 12:59:07 -08:00
Chiheb Chebbi
9030b5dfa7
Create Windows System Shutdown-Reboot(T1529)
2021-01-31 18:00:00 +01:00
Shain
0bab07aed0
Update HostExportingMailboxAndRemovingExport.yaml
...
Adding Event filter in that was missing
2021-01-21 10:39:58 -08:00
Shain Wray (MSTIC)
8a30e89cbc
adding tags
2021-01-15 17:26:22 -08:00
Shain
9b6d406732
Update and rename Connectiontomultiplemachinesusingexplicitcredentials.yaml to MultipleExplicitCredentialUsage4648Events.yaml
...
Updating YAML name and Name to be more succinct
2020-12-26 10:28:09 -08:00
Shain
9651c32b16
Merge pull request #1525 from Azure/MultiplemachineMultipleAccount_Solorigate
...
New Proposed Hunting Query related to Solorigate
2020-12-24 17:40:35 -08:00
Shain
062eed9418
Update Connectiontomultiplemachinesusingexplicitcredentials.yaml
...
Some minor fixes and additional comments
2020-12-24 17:38:13 -08:00
Ajeet Prakash (MSTIC)
313b516097
Changes to original PR and Hunting Query
2020-12-24 15:33:29 -08:00
Shain
7ce8db8bdb
Update Suspicious_enumeration_using_adfind.yaml
...
Adding some comments and fixing some typos.
2020-12-23 19:52:36 -08:00
Ashwin Patil
6fa3d57819
fixes suggested by Shain
2020-12-23 17:54:31 -08:00
Ashwin Patil
af7d0a412a
removing some to reduce FPS
2020-12-23 11:50:27 -08:00
Ashwin Patil
6492e63a4b
fixed typo
2020-12-23 11:33:03 -08:00
Ashwin Patil
fd821d64a1
adfind huting query
2020-12-23 10:58:50 -08:00
Ajeet Prakash (MSTIC)
5e63360e48
New Hunting Query related to Solorigate
2020-12-23 02:54:32 -08:00
Shain Wray (MSTIC)
257f1f4f2f
Fixing up syntax and change from contains to has, along with in~
2020-12-19 10:43:47 -08:00
Pete Bryan
6070df1d52
New queries and some fixes
2020-12-19 17:31:36 +00:00
Shain
4984b862af
Update ProcessEntropy.yaml
2020-11-30 08:43:21 -08:00
Shain
cca66ba911
Update ProcessEntropy.yaml
...
Improving Process Entropy performance, removing additional common processes to speed execution, improving ratio's to reduce common processes further and handling Weight calculation slightly differently. Lower Weight is still indicative of High Entropy or Rarity.
2020-11-22 20:00:12 -08:00
Shain
d6ca732e3f
Update WindowsSystemTimeChange.yaml
2020-10-27 10:33:23 -07:00
Shain
70e49edf6e
Create WindowsSystemTimeChange.yaml
...
Adding in Time Change event check for Hunting.
2020-10-25 21:59:51 -07:00