45 строки
1.5 KiB
YAML
45 строки
1.5 KiB
YAML
id: 75bf9902-0789-47c1-a5d8-f57046aa72df
|
|
name: Malware in the recycle bin
|
|
description: |
|
|
'Identifies malware that has been hidden in the recycle bin.
|
|
References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- DefenseEvasion
|
|
relevantTechniques:
|
|
- T1158
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);
|
|
let ProcessCreationEvents=() {
|
|
let processEvents=SecurityEvent
|
|
| where EventID==4688
|
|
| where isnotempty(CommandLine)
|
|
| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,
|
|
FileName = Process, CommandLine, ParentProcessName;
|
|
processEvents};
|
|
ProcessCreationEvents
|
|
| where TimeGenerated >= ago(timeframe)
|
|
| where FileName in~ (procList)
|
|
| where CommandLine contains ":\\recycler"
|
|
| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName
|
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|