56 строки
2.7 KiB
YAML
56 строки
2.7 KiB
YAML
id: 9b72769e-6ab1-4736-988b-018d92dc5e62
|
|
name: Dev-0322 File Drop Activity November 2021 (ASIM Version)
|
|
description: |
|
|
'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.
|
|
The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.
|
|
The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.
|
|
This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization'
|
|
requiredDataConnectors:
|
|
- connectorId: MicrosoftDefenderAdvancedThreatProtection
|
|
dataTypes:
|
|
- SecurityAlert (MDATP)
|
|
tactics:
|
|
- Persistence
|
|
- CommandAndControl
|
|
relevantTechniques:
|
|
- T1078
|
|
- T1219
|
|
query: |
|
|
// Look for the specific files dropped by threat actor
|
|
let files = dynamic(["C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat ", "c:\\windows\\temp\\ccc.exe"]);
|
|
imFileEvent
|
|
| where EventType =~ "FileCreated"
|
|
| where FileName endswith "elrs.exe" or FilePath has_any (files)
|
|
// Increase the risk score of command accessing file also seen
|
|
| join kind=leftouter (imProcess
|
|
| where CommandLine contains "cmd /c elrs.exe") on DvcId
|
|
| extend RiskScore = iif(isnotempty(DvcId1), 1.0, 0.5)
|
|
| project-reorder TimeGenerated, DvcId, FileName, FilePath, CommandLine, RiskScore
|
|
// Increase risk score if recent alerts for the host
|
|
| join kind=leftouter (SecurityAlert
|
|
| where ProviderName =~ "MDATP"
|
|
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
|
|
| mv-expand todynamic(Entities)
|
|
| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)
|
|
| where isnotempty(DvcId)
|
|
// Higher risk score are for Defender alerts related to threat actor
|
|
| extend AlertRiskScore = iif(ThreatName has_any ("Zebracon", "Trojan:MSIL/Gacker.A!dha", "Backdoor:MSIL/Kokishell.A!dha"), 1.0, 0.5)
|
|
| project DvcId, AlertRiskScore) on DvcId
|
|
| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)
|
|
// Create agregate risk score
|
|
| extend RiskScore = RiskScore + AlertRiskScore
|
|
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName
|
|
entityMappings:
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: HostName
|
|
columnName: HostCustomEntity
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: Name
|
|
columnName: AccountCustomEntity
|
|
- entityType: File
|
|
fieldMappings:
|
|
- identifier: Name
|
|
columnName: FileName
|