42 строки
2.1 KiB
YAML
42 строки
2.1 KiB
YAML
Id: 6537a8c3-a269-4b2f-8c70-3824c23fef7b
|
|
DisplayName: Services created on host
|
|
Description: Any service created on a given host during the time of or recently after compromise (set time range to +-6h when running the query)
|
|
InputEntityType: Host
|
|
InputFields:
|
|
- HostName
|
|
OutputEntityTypes:
|
|
- Process
|
|
QueryPeriodBefore: 6h
|
|
QueryPeriodAfter: 6h
|
|
DataSources:
|
|
- Event
|
|
Tactics:
|
|
- Persistence
|
|
- Discovery
|
|
- LateralMovement
|
|
- Collection
|
|
query: |
|
|
|
|
let GetServiceCreationsOnHost = (v_Host_HostName:string){
|
|
Event
|
|
// 7045: A service was installed in the system
|
|
| where EventID == 7045
|
|
| where Computer =~ v_Host_HostName
|
|
| extend EventDataParse = parse_xml(EventData)
|
|
| extend Process_Aux_ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0]['#text'])
|
|
| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1]['#text'])
|
|
| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2]['#text'])
|
|
| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3]['#text'])
|
|
| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4]['#text'])
|
|
| where ImagePath !has '\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\'
|
|
and ImagePath !has '\\Packages\\Plugins\\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\'
|
|
and not(ImagePath has '\\WindowsAzure\\GuestAgent_' and ImagePath has '\\Telemetry\\WindowsAzureTelemetryService.exe')
|
|
and not(ImagePath has '\\WindowsAzure\\GuestAgent_' and ImagePath has '\\GuestAgent\\WindowsAzureGuestAgent.exe')
|
|
| extend Process_Aux_Service_info = pack('ServiceName', Process_Aux_ServiceName, 'ServiceType', ServiceType, 'StartType', StartType, 'ServiceAccount', ServiceAccount)
|
|
| project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info
|
|
| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated
|
|
| top 10 by Process_CreationTimeUtc desc nulls last
|
|
};
|
|
// change <HostName> value below
|
|
GetServiceCreationsOnHost('<HostName>')
|