56 строки
3.2 KiB
YAML
56 строки
3.2 KiB
YAML
id: 6bfea14f-2122-46b3-8f8b-3947e0fb6d92
|
|
name: Dev-0322 Command Line Activity November 2021 (ASIM Version)
|
|
description: |
|
|
'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.
|
|
The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.
|
|
The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.
|
|
This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization'
|
|
requiredDataConnectors:
|
|
- connectorId: MicrosoftDefenderAdvancedThreatProtection
|
|
dataTypes:
|
|
- SecurityAlert (MDATP)
|
|
tactics:
|
|
- Persistence
|
|
- LateralMovement
|
|
- CommandAndControl
|
|
relevantTechniques:
|
|
- T1078
|
|
- T1219
|
|
- T1021
|
|
query: |
|
|
// Look for command lines observed used by the threat actor
|
|
let cmd_lines = dynamic(['cmd.exe /c "wmic /node:redacted process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";', 'regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']);
|
|
imProcess
|
|
// Look for static cmd lines and dynamic one using regex
|
|
| where CommandLine has_any (cmd_lines) or CommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or CommandLine matches regex 'cmd.exe /c "wmic /node:[^ ]* process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";'
|
|
| summarize count(), FirstSeen=min(TimeGenerated), LastSeen = max(TimeGenerated) by DvcId, Dvc, CommandLine, AccountName, FilePath
|
|
// Base risk score on number of command lines seen for each host
|
|
| extend RiskScore = count_
|
|
// Increase risk score if host has recent security alerts
|
|
| join kind=leftouter (SecurityAlert
|
|
| where ProviderName =~ "MDATP"
|
|
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
|
|
| mv-expand todynamic(Entities)
|
|
| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)
|
|
| where isnotempty(DvcId)
|
|
// Increase risk score further if alerts relate to malware assocaited with threat actor
|
|
| extend AlertRiskScore = iif(ThreatName has_any ("Zebracon", "Trojan:MSIL/Gacker.A!dha", "Backdoor:MSIL/Kokishell.A!dha"), 1.0, 0.5)) on DvcId
|
|
// Create aggregate risk score
|
|
| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0 , AlertRiskScore)
|
|
| extend RiskScore = RiskScore + AlertRiskScore
|
|
| project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName
|
|
| extend File = split(Process, "\\")[-1]
|
|
| extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: Name
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: HostName
|
|
columnName: HostCustomEntity
|
|
- entityType: File
|
|
fieldMappings:
|
|
- identifier: Name
|
|
columnName: File |