Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/Attacker Tools Threat Prote.../Package/mainTemplate.json

1020 строки
54 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for Attacker Tools Threat Protection Essentials"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Attacker Tools Threat Protection Essentials",
"_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-attackertools",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
"huntingQueryVersion1": "1.0.1",
"_huntingQuerycontentId1": "dde206fc-3f0b-4175-bb5d-42d2aae9d4c9",
"huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('dde206fc-3f0b-4175-bb5d-42d2aae9d4c9')))]"
},
"huntingQueryObject2": {
"huntingQueryVersion2": "1.0.1",
"_huntingQuerycontentId2": "24ae555c-5e33-4b5d-827a-44206e39f6b4",
"huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('24ae555c-5e33-4b5d-827a-44206e39f6b4')))]"
},
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd','-', '1.0.3')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.2",
"_analyticRulecontentId2": "4ebbb5c2-8802-11ec-a8a3-0242ac120002",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4ebbb5c2-8802-11ec-a8a3-0242ac120002')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4ebbb5c2-8802-11ec-a8a3-0242ac120002')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4ebbb5c2-8802-11ec-a8a3-0242ac120002','-', '1.0.2')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "32ffb19e-8ed8-40ed-87a0-1adb4746b7c4",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '32ffb19e-8ed8-40ed-87a0-1adb4746b7c4')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('32ffb19e-8ed8-40ed-87a0-1adb4746b7c4')))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','32ffb19e-8ed8-40ed-87a0-1adb4746b7c4','-', '1.0.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.3.1",
"_analyticRulecontentId4": "ef88eb96-861c-43a0-ab16-f3835a97c928",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ef88eb96-861c-43a0-ab16-f3835a97c928')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ef88eb96-861c-43a0-ab16-f3835a97c928')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ef88eb96-861c-43a0-ab16-f3835a97c928','-', '1.3.1')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CobaltDNSBeacon_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "Attacker_Tools_Threat_Protection_Essentials_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Cobalt Strike DNS Beaconing",
"category": "Hunting Queries",
"query": "let badNames = dynamic([\"aaa.stage.\", \"post.1\"]);\n(union isfuzzy=true\n(DnsEvents \n| where Name has_any (badNames)\n| extend Domain = Name, SourceIp = ClientIP, RemoteIP = todynamic(IPAddresses)\n| mvexpand RemoteIP\n| extend RemoteIP = tostring(RemoteIP)),\n(VMConnection\n| where isnotempty(RemoteDnsCanonicalNames) \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where DNSName has_any (badNames)\n| extend Domain = DNSName, RemoteIP = RemoteIp\n))\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer\n| extend timestamp = StartTimeUtc, HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\n| extend Host_0_HostName = HostName\n| extend Host_0_DnsDomain = DnsDomain\n| extend IP_0_Address = RemoteIP\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. \n The query tries to detect suspicious DNS queries known from Cobalt Strike beacons."
},
{
"name": "tactics",
"value": "CommandAndControl"
},
{
"name": "techniques",
"value": "T1568,T1008"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "Attacker Tools Threat Protection Essentials Hunting Query 1",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "Attacker Tools Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Cobalt Strike DNS Beaconing",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
"version": "1.0.1"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PotentialImpacketExecution_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "Attacker_Tools_Threat_Protection_Essentials_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Potential Impacket Execution",
"category": "Hunting Queries",
"query": "(union isfuzzy=true\n(SecurityEvent\n| where EventID == '5145'\n| where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @\".tmp\"\n| where ShareName has \"\\\\\\\\*\\\\ADMIN$\"\n),\n(WindowsEvent\n| where EventID == '5145' \n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\n| extend ShareName= tostring(EventData.ShareName)\n| where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @\".tmp\"\n| where ShareName has \"\\\\\\\\*\\\\ADMIN$\"\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n)\n)\n| extend timestamp = TimeGenerated \n| extend NTDomain = split(Account, '\\\\', 0)[0], UserName = split(Account, '\\\\', 1)[0]\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\n| extend Account_0_Name = UserName\n| extend Account_0_NTDomain = NTDomain\n| extend Host_0_HostName = HostName\n| extend Host_0_DnsDomain = DnsDomain\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping."
},
{
"name": "tactics",
"value": "CredentialAccess"
},
{
"name": "techniques",
"value": "T1557.001,T1040,T1003.001,T1003.002,T1003.003,T1003.004,T1558.003"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "Attacker Tools Threat Protection Essentials Hunting Query 2",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "Attacker Tools Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "Potential Impacket Execution",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]",
"version": "1.0.1"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AdFind_Usage_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.",
"displayName": "Probable AdFind Recon Tool Usage",
"enabled": false,
"query": "let args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nDeviceProcessEvents\n//looks for execution from a shell\n| where InitiatingProcessFileName in~ (parentProcesses)\n// main filter\n| where FileName =~ \"AdFind.exe\" or SHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or ProcessCommandLine has_any (args)\n| extend HostName = split(DeviceName, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'), FileHashAlgorithm = \"SHA256\"\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"DeviceProcessEvents"
],
"connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
"Discovery"
],
"subTechniques": [
"T1069.002",
"T1087.002"
],
"techniques": [
"T1016",
"T1018",
"T1069",
"T1087",
"T1482"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "InitiatingProcessFileName",
"identifier": "ProcessId"
},
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "FileHashAlgorithm",
"identifier": "Algorithm"
},
{
"columnName": "SHA256",
"identifier": "Value"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 1",
"parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Attacker Tools Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
"displayName": "Probable AdFind Recon Tool Usage",
"contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
"id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CredentialDumpingServiceInstallation_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.",
"displayName": "Credential Dumping Tools - Service Installation",
"enabled": false,
"query": "// Enter a reference list of decoy users (usernames) \"Case Sensitive\"\nlet MaliciousServiceArtifacts = dynamic ([\"fgexec\",\"cachedump\",\"mimikatz\",\"mimidrv\",\"wceservice\",\"pwdump\"]);\nEvent\n| where Source == \"Service Control Manager\" and EventID == 7045\n| parse EventData with * 'ServiceName\">' ServiceName \"<\" * 'ImagePath\">' ImagePath \"<\" *\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\n| parse EventData with * 'AccountName\">' AccountName \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"Event"
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"CredentialAccess"
],
"subTechniques": [
"T1003.001"
],
"techniques": [
"T1003"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "ImagePath",
"identifier": "Name"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 2",
"parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Attacker Tools Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
"displayName": "Credential Dumping Tools - Service Installation",
"contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
"id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CredentialDumpingToolsFileArtifacts_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/",
"displayName": "Credential Dumping Tools - File Artifacts",
"enabled": false,
"query": "// Enter a reference list of malicious file artifacts\nlet MaliciousFileArtifacts = dynamic ([\"lsass.dmp\",\"test.pwd\",\"lsremora.dll\",\"lsremora64.dll\",\"fgexec.exe\",\"pwdump\",\"kirbi\",\"wce_ccache\",\"wce_krbtkts\",\"wceaux.dll\",\"PwHashes\",\"SAM.out\",\"SECURITY.out\",\"SYSTEM.out\",\"NTDS.out\" \"DumpExt.dll\",\"DumpSvc.exe\",\"cachedump64.exe\",\"cachedump.exe\",\"pstgdump.exe\",\"servpw64.exe\",\"servpw.exe\",\"pwdump.exe\",\"fgdump-log\"]);\nEvent\n| where EventLog == \"Microsoft-Windows-Sysmon/Operational\" and EventID==11\n| parse EventData with * 'TargetFilename\">' TargetFilename \"<\" *\n| where TargetFilename has_any (MaliciousFileArtifacts)\n| parse EventData with * 'ProcessGuid\">' ProcessGuid \"<\" * 'Image\">' Image \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"Event"
],
"connectorId": "SecurityEvents"
}
],
"tactics": [
"CredentialAccess"
],
"subTechniques": [
"T1003.001"
],
"techniques": [
"T1003"
],
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "TargetFilename",
"identifier": "Name"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "Image",
"identifier": "CommandLine"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 3",
"parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Attacker Tools Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
"displayName": "Credential Dumping Tools - File Artifacts",
"contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
"id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "powershell_empire_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.",
"displayName": "Powershell Empire Cmdlets Executed in Command Line",
"enabled": false,
"query": "let regexEmpire = tostring(toscalar(externaldata(cmdlets:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/EmpireCommandString.txt\"] with (format=\"txt\")));\n(union isfuzzy=true\n (SecurityEvent\n| where EventID == 4688\n//consider filtering on filename if perf issues occur\n//where FileName in~ (\"powershell.exe\",\"powershell_ise.exe\",\"pwsh.exe\")\n| where not(ParentProcessName has_any ('gc_worker.exe', 'gc_service.exe'))\n| where CommandLine has \"-encodedCommand\"\n| parse kind=regex flags=i CommandLine with * \"-EncodedCommand \" encodedCommand\n| extend encodedCommand = iff(encodedCommand has \" \", tostring(split(encodedCommand, \" \")[0]), encodedCommand)\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\n| extend decodedCommand = translate('\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\n| where EfectiveCommand matches regex regexEmpire\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\n),\n(WindowsEvent\n| where EventID == 4688\n| where EventData has_any (\"-encodedCommand\", \"powershell.exe\",\"powershell_ise.exe\",\"pwsh.exe\")\n| where not(EventData has_any ('gc_worker.exe', 'gc_service.exe'))\n//consider filtering on filename if perf issues occur\n//extend NewProcessName = tostring(EventData.NewProcessName)\n//extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n//FileName = Process\n//where FileName in~ (\"powershell.exe\",\"powershell_ise.exe\",\"pwsh.exe\")\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where not(ParentProcessName has_any ('gc_worker.exe', 'gc_service.exe'))\n| extend CommandLine = tostring(EventData.CommandLine)\n| where CommandLine has \"-encodedCommand\"\n| parse kind=regex flags=i CommandLine with * \"-EncodedCommand \" encodedCommand\n| extend encodedCommand = iff(encodedCommand has \" \", tostring(split(encodedCommand, \" \")[0]), encodedCommand)\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\n| extend decodedCommand = translate('\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\n| where EfectiveCommand matches regex regexEmpire\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\n))\n",
"queryFrequency": "PT12H",
"queryPeriod": "PT12H",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"SecurityEvent"
],
"connectorId": "SecurityEvents"
},
{
"dataTypes": [
"SecurityEvent"
],
"connectorId": "WindowsSecurityEvents"
},
{
"dataTypes": [
"SecurityEvents"
],
"connectorId": "WindowsSecurityEvents"
},
{
"dataTypes": [
"WindowsEvent"
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
"Collection",
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Discovery",
"Execution",
"Exfiltration",
"LateralMovement",
"Persistence",
"PrivilegeEscalation"
],
"subTechniques": [
"T1548.002",
"T1134.002",
"T1134.005",
"T1087.001",
"T1087.002",
"T1557.001",
"T1071.001",
"T1547.001",
"T1547.005",
"T1547.009",
"T1059.001",
"T1059.003",
"T1136.001",
"T1136.002",
"T1543.003",
"T1555.003",
"T1484.001",
"T1114.001",
"T1573.002",
"T1546.008",
"T1567.001",
"T1567.002",
"T1574.001",
"T1574.004",
"T1574.007",
"T1574.008",
"T1574.009",
"T1070.006",
"T1056.001",
"T1056.004",
"T1003.001",
"T1021.003",
"T1021.004",
"T1053.005",
"T1518.001",
"T1558.002",
"T1558.003",
"T1569.002",
"T1127.001",
"T1552.001",
"T1552.004",
"T1550.002",
"T1102.002"
],
"techniques": [
"T1548",
"T1134",
"T1134",
"T1134",
"T1087",
"T1087",
"T1557",
"T1071",
"T1560",
"T1547",
"T1547",
"T1547",
"T1217",
"T1115",
"T1059",
"T1059",
"T1059",
"T1136",
"T1136",
"T1543",
"T1555",
"T1484",
"T1482",
"T1114",
"T1573",
"T1546",
"T1041",
"T1567",
"T1567",
"T1068",
"T1210",
"T1083",
"T1615",
"T1574",
"T1574",
"T1574",
"T1574",
"T1574",
"T1070",
"T1105",
"T1056",
"T1056",
"T1106",
"T1046",
"T1135",
"T1040",
"T1027",
"T1003",
"T1057",
"T1055",
"T1021",
"T1021",
"T1053",
"T1113",
"T1518",
"T1558",
"T1558",
"T1082",
"T1016",
"T1049",
"T1569",
"T1127",
"T1552",
"T1552",
"T1550",
"T1125",
"T1102",
"T1047"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectUserName",
"identifier": "Name"
},
{
"columnName": "SubjectDomainName",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "Attacker Tools Threat Protection Essentials Analytics Rule 4",
"parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Attacker Tools Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
"displayName": "Powershell Empire Cmdlets Executed in Command Line",
"contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
"id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Attacker Tools Threat Protection Essentials",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <strong>Attacker Tools Threat Protection Essentials</strong> solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.</p>\n<p><strong>Pre-requisites:</strong></p>\n<p>This is a <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions\">domain solution</a> and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.</p>\n<ol>\n<li>Windows Security Events</li>\n<li>Windows Server DNS</li>\n<li>Windows Forwarded Events</li>\n<li>Microsoft Entra ID</li>\n</ol>\n<p><strong>Keywords:</strong> attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire</p>\n<p><strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Attacker Tools Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-securityevents"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-dns"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory"
}
]
},
"firstPublishDate": "2022-11-16",
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку