Tool
Hunt pack: Agrius
1,106 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Agrius - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,106paymen45_ransomware
Detects Paymen45 Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule paymen45_ransomware {
meta:
author = "Osman Demir"
description = "Detects Paymen45 Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/xl7e1g3hoPkA"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1486, Impact"
events:
(($selection.metadata.product_event_type = "1" and $selection.principal.process.file.full_path = "Paymen45.exe" and $selection.target.process.file.full_path = "C:\\Windows\\system32\\vssadmin.exe" and $selection.target.process.command_line = "vssadmin delete shadows /all /quiet") or ($selection.metadata.product_event_type = "11" and $selection.target.process.file.full_path = "Paymen45.exe" and ($selection.target.file.full_path = "C:\\Users\\admin\\AppData\\Local\\VirtualStore\\Program Files\\Adobe\\Acrobat Reader DC\\Esl
eadme.txt" or $selection.target.file.full_path = "C:\\Users\\admin\\Desktop
eadme.txt")) or ($selection.target.file.md5 = "4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51" or $selection.target.file.md5 = "f9dc9848892b3c1ca620a7a69cce4ff5bbf03cdfd0ad12f348973ea76d4d125e"))
condition:
$selection
}persistence_of_ryuk_ransomware
Ryuk has been know to be a part of a bigger \"Triple Threat\" attack that involves Emotet and TrickBot. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule persistence_of_ryuk_ransomware {
meta:
author = "Emir Erdogan"
description = "Ryuk has been know to be a part of a bigger \"Triple Threat\" attack that involves Emotet and TrickBot. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eWyQLgWZwv3v"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1055, T1060, T1112, T1012, T1486"
events:
(re.regex($selection1.target.process.file.full_path, `.*\\reg\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\cmd\.exe`) and (re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\BPWPc\.exe\" /f`) or re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\YLZHK\.exe\" /f`) or re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\rojwa\.exe\" /f`)) and ($selection1.target.process.command_line = "vssadmin Delete Shadows /all /quiet" or re.regex($selection1.target.process.command_line, `vssadmin resize shadowstorage.*.*`)))
condition:
$selection1
}poetrat_pythonrat_uses_covid19_lure
Covid19 theme phishing document drop pyhton and execute malware by python License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule poetrat_pythonrat_uses_covid19_lure {
meta:
author = "Emir Erdogan"
description = "Covid19 theme phishing document drop pyhton and execute malware by python License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9l7TeSLJabOP"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1012, T1086"
events:
(re.regex($selection1.principal.process.file.full_path, `.*\\WINWORD\.exe`) and (re.regex($selection1.target.process.file.full_path, `.*\\cmd\.exe`) or re.regex($selection1.target.process.file.full_path, `.*\\powershell\.exe`)) and (re.regex($selection1.target.process.command_line, `.*/c copy .*.*\.docx .*\.rar && \"C:\\Program Files\\WinRAR\\winRar\.exe\" x -o\+ -ibck .*\.rar .*\.bat && start /b .*\.bat .*\.EXE MICROSOFT WORD`) or re.regex($selection1.target.process.command_line, `C:\\Programs\\Microsoft\\Office\\MSWord\.exe\\\.\.\\\.\.\\\.\.\\\.\..*\\powershell\.exe copy .*.*\.docx .*\.rar; & .*\\WinRAR\.exe x -ibck .*\.rar .*\.exe;Start-Sleep 5;start .*\.EXE MSW`)))
condition:
$selection1
}recon_successful_logon_enumeration_powershell_T1033_cisa_report
Detects the use of powershell to enumerate successful logins on a specific host
Show query
rule recon_successful_logon_enumeration_powershell_T1033_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects the use of powershell to enumerate successful logins on a specific host"
rule_id = "mr_db589a2e-0a06-46b5-8479-f8e120ec0405"
rule_name = "MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon"
tactic = "TA0007"
mitre_attack_technique = "T1033"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Info"
priority = "Info"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// cisa report referenced cmd /c and other wmic switches like /user and /password, these have been excluded to focus on the commands being issued since
// focused on event code 4624 but could be modified to look for other event codes if needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*Get-EventLog.*security.*-instanceid.*4624`) nocase
)
or
(
$process.metadata.event_type = "STATUS_UPDATE" and
re.regex($process.security_result.description, `Get-EventLog.*security.*-instanceid.*4624`) nocase
)
$process.principal.hostname = $hostname
match:
$hostname over 15m
outcome:
$risk_score = 15
$event_count = count_distinct($process.metadata.id)
$security_result_description = array_distinct($process.security_result.description)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}remote_system_discovery__ping_sweep
This rule detects an attempt to identify remote systems via ping sweep License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule remote_system_discovery__ping_sweep {
meta:
author = "Ariel Millahuel"
description = "This rule detects an attempt to identify remote systems via ping sweep License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/fctdvCuWhicV"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "discovery, T1018"
events:
($selection1.target.process.file.full_path = "ping.exe" and (re.regex($selection1.target.process.command_line, `.* for /l %i in \(1,1,254\) do ping -n 1 -w 100 192\.168\.1\.%i .*`) or re.regex($selection1.target.process.command_line, `.*for /l %i in \(1,1,254\) do ping -n 1 -w 100 .*\..*\..*\.%i.*`)) and ($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1"))
condition:
$selection1
}rig_ek_delivers_predator_the_thiefbot_ransomware
Rig EK Delivers Predator the thief&Bot Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule rig_ek_delivers_predator_the_thiefbot_ransomware {
meta:
author = "Emir Erdogan"
description = "Rig EK Delivers Predator the thief&Bot Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/rOXcOaqX6q1R"
version = "0.01"
created = "2019/11/24"
product = "windows"
service = "sysmon"
mitre = "T1486, T1059"
events:
((((re.regex($selection1.target.process.file.full_path, `.*\\socks111atx\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\radD8D54\.tmp\.exe`)) or ($selection1.metadata.product_event_type = "1" and re.regex($selection1.target.process.file.full_path, `.*\\regsvr32\.exe`) and (re.regex($selection1.target.process.command_line, `.*\\D5F4\.tmp\.dll`) or re.regex($selection1.target.process.command_line, `.*\\CD2D\.tmp\.dll`)))) or (re.regex($selection1.target.process.command_line, `.*ping 127\.0\.0\.1 && del.*`) and re.regex($selection1.principal.process.file.full_path, `.*\\radD8D54\.tmp\.exe`))) and (re.regex($selection1.target.process.file.full_path, `.*\\notepad\.exe`) and re.regex($selection1.target.process.command_line, `.*\\FILES ENCRYPTED\.txt`)))
condition:
$selection1
}rule_1
Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
Show query
rule rule_1 {
meta:
author = "Google Cloud Security"
description = "Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under"
type = "hunt"
data_source = "microsoft sysmon, microsoft windows events"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "System Owner/User Discovery"
mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
mitre_attack_version = "v13.1"
platform = "Windows"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = "whoami"
outcome:
$risk_score = 10
$mitre_attack_tactic = "Discovery"
$mitre_attack_technique = "System Owner/User Discovery"
$mitre_attack_technique_id = "T1033"
// added to populate alert graph with additional context
$principal_hostname = $process.principal.hostname
$principal_process_pid = $process.principal.process.pid
$principal_process_command_line = $process.principal.process.command_line
$principal_process_file_sha256 = $process.principal.process.file.sha256
$principal_process_file_full_path = $process.principal.process.file.full_path
$principal_process_product_specific_process_id = $process.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $process.principal.process.parent_process
.product_specific_process_id
$target_process_pid = $process.target.process.pid
$target_process_command_line = $process.target.process.command_line
$target_process_file_sha256 = $process.target.process.file.sha256
$target_process_file_full_path = $process.target.process.file.full_path
$target_process_product_specific_process_id = $process.target.process.product_specific_process_id
$principal_user_userid = $process.principal.user.userid
condition:
$process
}rule_2
Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
Show query
rule rule_2 {
meta:
author = "Google Cloud Security"
description = "Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under"
type = "hunt"
data_source = "microsoft sysmon, microsoft windows events"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "System Owner/User Discovery"
mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
mitre_attack_version = "v13.1"
platform = "Windows"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = "whoami"
outcome:
$risk_score = 10
$mitre_attack_tactic = "Discovery"
$mitre_attack_technique = "System Owner/User Discovery"
$mitre_attack_technique_id = "T1033"
// added to populate alert graph with additional context
$principal_hostname = $process.principal.hostname
$principal_process_pid = $process.principal.process.pid
$principal_process_command_line = $process.principal.process.command_line
$principal_process_file_sha256 = $process.principal.process.file.sha256
$principal_process_file_full_path = $process.principal.process.file.full_path
$principal_process_product_specific_process_id = $process.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $process.principal.process.parent_process
.product_specific_process_id
$target_process_pid = $process.target.process.pid
$target_process_command_line = $process.target.process.command_line
$target_process_file_sha256 = $process.target.process.file.sha256
$target_process_file_full_path = $process.target.process.file.full_path
$target_process_product_specific_process_id = $process.target.process.product_specific_process_id
$principal_user_userid = $process.principal.user.userid
condition:
$process
}ryuk_encryption_and_evasion_techniques
Detects Ryuk Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule ryuk_encryption_and_evasion_techniques {
meta:
author = "Osman Demir"
description = "Detects Ryuk Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9lnBk5qhd9IV"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1486, Impact, T1137, Persistence"
events:
(($selection.metadata.product_event_type = "1" and (re.regex($selection.target.process.command_line, `icacls \"C:.*\" /grant Everyone:F /T /C /Q`) or $selection.target.process.command_line = "\"C:\\Windows\\System32\\net.exe\" stop \"audioendpointbuilder\" /y" or $selection.target.process.command_line = "\"C:\\Windows\\System32\\net.exe\" stop \"samss\" /y")) or ($selection.metadata.product_event_type = "11" and (re.regex($selection.target.file.full_path, `C:\\Users.*\\Pictures.*\.RYK`) or $selection.target.file.full_path = "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\RyukReadMe.html")))
condition:
$selection
}ryuk_ransomware_hash_detected
While most ransomware is spread using spam email and exploit kits, Ryuk is delivered as a payload of the Emotet and Trickbot malware. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule ryuk_ransomware_hash_detected {
meta:
author = "Furkan Celik"
description = "While most ransomware is spread using spam email and exploit kits, Ryuk is delivered as a payload of the Emotet and Trickbot malware. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Zv9JvW4XauTo"
version = "0.01"
created = "2020/03/28"
product = "windows"
service = "security"
mitre = "impact, T1486"
events:
(($selection.target.file.md5 = "5AC0F050F93F86E69026FAEA1FBB4450" or $selection.target.file.md5 = "6CDCB9F86972EFC4CFCE4B06B6BE053A" or $selection.target.file.md5 = "31BD0F224E7E74EEE2847F43AAE23974") and $selection.metadata.product_event_type = "1")
condition:
$selection
}sap_netweaver_application_server_as_java_cve20206287_detection
It is a critical vulnerability in the LM Configuration Wizard component of the \"SAP NetWeaver Application Server (AS) Java\" platform, allowing unauthenticated users to run code. If it is successfully exploited, high authority users can be created, unlimited authority to SAP systems, commands can be run with SAP service user rights. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule sap_netweaver_application_server_as_java_cve20206287_detection {
meta:
author = "Furkan Celik"
description = "It is a critical vulnerability in the LM Configuration Wizard component of the \"SAP NetWeaver Application Server (AS) Java\" platform, allowing unauthenticated users to run code. If it is successfully exploited, high authority users can be created, unlimited authority to SAP systems, commands can be run with SAP service user rights. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/IpNtUupYw88W"
version = "0.01"
created = "2020/07/16"
product = "windows"
service = "sysmon"
mitre = "T1190, vulnerability_scanning, T1059, execution"
events:
($selection.metadata.product_event_type = "1" and ($selection.metadata.description = "7.31" or $selection.metadata.description = "7.4" or $selection.metadata.description = "7.3" or $selection.metadata.description = "7.5") and $selection.metadata.product_name = "SAP NetWeaver")
condition:
$selection
}scarab_ransomware
This new version of Scarab Ransomware was discovered by the investigator M. Shahpasandi License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule scarab_ransomware {
meta:
author = "Ariel Millahuel"
description = "This new version of Scarab Ransomware was discovered by the investigator M. Shahpasandi License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/r5jiwlzXUXDk"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "impact, T1486"
events:
($selection1.metadata.product_event_type = "11" and (re.regex($selection1.target.file.full_path, `.*AppData\\Roaming\\svchoster\.exe.*`) or re.regex($selection1.target.file.full_path, `.*\.cov19.*`)))
condition:
$selection1
}scarab_ransomware_part_1
This new version of Scarab Ransomware was discovered by the investigator M. Shahpasandi License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule scarab_ransomware_part_1 {
meta:
author = "Ariel Millahuel"
description = "This new version of Scarab Ransomware was discovered by the investigator M. Shahpasandi License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/r5jiwlzXUXDk"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "impact, T1486"
events:
($selection2.target.process.command_line = "cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0" and ($selection2.metadata.product_event_type = "4688" or $selection2.metadata.product_event_type = "1"))
condition:
$selection2
}signal_desktop_app_privilege_escalation
Detects Signal Desktop v1.29 app privilege escalation vulnerability. During the startup the application will execute the c:\\node_modules\\.bin\\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule signal_desktop_app_privilege_escalation {
meta:
author = "Halil Ibrahim Cosgun"
description = "Detects Signal Desktop v1.29 app privilege escalation vulnerability. During the startup the application will execute the c:\\node_modules\\.bin\\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/JxHcCHvtyUEG"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "Execution, Defense_Evasion, Persistence, Privilege_Escalation, T1218, T1036, T1044"
events:
(($selection1.metadata.product_event_type = "1" and re.regex($selection1.principal.process.file.full_path, `.*\\\\Signal\.exe`) and re.regex($selection1.target.process.command_line, `.*\\\\node_modules\\\\\.bin\\\\wmic\.exe`)) or ($selection1.metadata.product_event_type = "11" and re.regex($selection1.target.file.full_path, `.*\\\\node_modules\\\\\.bin\\\\wmic\.exe`)))
condition:
$selection1
}snatch_ransomware_sysmon_behaviour
Snatch ransomware reboots PCs into Safe Mode to bypass protection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule snatch_ransomware_sysmon_behaviour {
meta:
author = "Emir Erdogan"
description = "Snatch ransomware reboots PCs into Safe Mode to bypass protection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/sG12jPLP3NJF"
version = "0.01"
created = "2019/12/10"
product = "windows"
service = "sysmon"
mitre = "T1486, T1022, T1313"
events:
(($selection1.target.process.command_line = "net stop SuperBackupMan" or $selection1.target.process.command_line = "vssadmin delete shadows /all /quiet" or $selection1.target.process.command_line = "sc start SuperBackupMan" or $selection1.target.process.command_line = "bcdedit.exe /set {current} safeboot minimal" or $selection1.target.process.command_line = "shutdown /r /f /t 00") or ($selection1.metadata.product_event_type = "11" and (re.regex($selection1.target.file.full_path, `.*\.snatch.*`) or re.regex($selection1.target.file.full_path, `.*\.jimm.*`) or re.regex($selection1.target.file.full_path, `.*\.googl.*`) or re.regex($selection1.target.file.full_path, `.*\.dglnl.*`) or re.regex($selection1.target.file.full_path, `.*\.ohwqg.*`) or re.regex($selection1.target.file.full_path, `.*\.wvtr0.*`) or re.regex($selection1.target.file.full_path, `.*\.hceem.*`))))
condition:
$selection1
}stop_ransomware_and_vidar_ransomware_detection
This rule detects the behavior of a combination between STOP Ransomware and Vidar Ransomware. Both threats are used in combination in order to steal information after a phishing attack was succesfully executed License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule stop_ransomware_and_vidar_ransomware_detection {
meta:
author = "Ariel Millahuel"
description = "This rule detects the behavior of a combination between STOP Ransomware and Vidar Ransomware. Both threats are used in combination in order to steal information after a phishing attack was succesfully executed License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eLntKUKd5pKY"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `/c taskkill /im 5\.exe /f & erase C:\\Users.*\\AppData\\Local\\Temp.*\\5\.exe & exit`) or re.regex($selection1.target.process.command_line, `/c taskkill /im .*\.exe /f & erase C:\\Users.*\\AppData\\Local\\Temp.*.*\.exe & exit`))) or ($selection1.target.process.file.full_path = "icacls.exe" and re.regex($selection1.target.process.command_line, `icacls C:\\Users.*\\AppData\\Local.*\\deny .*S-1-1-0:\(Ol\)\(Cl\)\(DE,DC\)`))))
condition:
$selection1
}suspicious_curl_usage
cURL is a command line browser, and often used by attackers to download malware. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_curl_usage {
meta:
author = "Emir Erdogan"
description = "cURL is a command line browser, and often used by attackers to download malware. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/NTrME73OyT8w"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1188, T1079, T1041"
events:
($selection.target.process.file.full_path = "C:\\Windows\\System32\\curl.exe" and $selection.principal.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and (re.regex($selection.target.process.command_line, `.*curl ftp.*`) or re.regex($selection.target.process.command_line, `.*curl --socks5 torproxy.*`) or re.regex($selection.target.process.command_line, `.*curl -F .*\.exe.*`) or re.regex($selection.target.process.command_line, `.*curl --dns-ipv4-addr.*`) or re.regex($selection.target.process.command_line, `.*curl --dns-interface eth1.*`) or re.regex($selection.target.process.command_line, `.*curl --resolve.*`) or re.regex($selection.target.process.command_line, `.*curl --header \"X-Application: BotClient\".*`)))
condition:
$selection
}suspicious_process_created_on_unusual_directories
Detect Suspicious Process on Unusual Directories License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_process_created_on_unusual_directories {
meta:
author = "Erdem Kucukmustafa"
description = "Detect Suspicious Process on Unusual Directories License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/lVgFe7QyLrys"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "Defense_Evasion, T1036"
events:
($selection.metadata.product_event_type = "1" and (re.regex($selection.target.process.file.full_path, `C:\\Windows\\Fonts.*`) or re.regex($selection.target.process.file.full_path, `.*\\htdocs.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Media.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\Public.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\system32\\config\\systemprofile.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\addins.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Debug.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\NetworkService.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\Default.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Help.*`) or re.regex($selection.target.process.file.full_path, `C:\\Intel\\Logs.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\repair.*`) or re.regex($selection.target.process.file.full_path, `C:\\PerfLogs.*`) or re.regex($selection.target.process.file.full_path, `C:\\$Recycle\.bin.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\security.*`) or re.regex($selection.target.process.file.full_path, `.*\\wwwroot.*`)))
condition:
$selection
}suspicious_scheduled_task
Detection of suspicious scheduled tasks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_scheduled_task {
meta:
author = "Emir Erdogan"
description = "Detection of suspicious scheduled tasks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/1ULlEDq8oA0b"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1053, T1168"
events:
(re.regex($selection.target.process.command_line, `.*schtasks\.exe /create /sc MINUTE /tn SystemSoundsServices /tr \"regsvr32\.exe\".*`) or re.regex($selection.target.process.command_line, `.*/s /n /u /i:http:.*`))
condition:
$selection
}ursnif_trojan_detection_cmd_obfuscation
Most popular banking trojan which is called as ursnif uses obfuscated command prompt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule ursnif_trojan_detection_cmd_obfuscation {
meta:
author = "Emir Erdogan"
description = "Most popular banking trojan which is called as ursnif uses obfuscated command prompt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/phnp9PkFC7Zm"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1047, T1497, T1080, T1007, T1082, T1071, T1064, T1113, T1091, T1105, T1060, T1012, T1093, T1027, T1036"
events:
($selection.target.process.file.full_path = "C:\\Windows\\System32\\Rundll32.exe" and re.regex($selection.principal.process.file.full_path, `C:\\Windows\\System32\\cmd\.exe.*`) and re.regex($selection.target.process.command_line, `.*C:\\ProgramData\\ZyGHisczAWv\.dll,Dl^lRegi^sterSe^rver.*`))
condition:
$selection
}wastedlocker_a_new_ransomware_variant_developed_by_the_evil_corp_group
Detects Wastedlocker License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule wastedlocker_a_new_ransomware_variant_developed_by_the_evil_corp_group {
meta:
author = "Osman Demir"
description = "Detects Wastedlocker License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/PYGGqXXI8HiF"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1486, Impact"
events:
($selection.metadata.product_event_type = "1" and (($selection.target.process.command_line = "C:\\Windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe Set-MpPreference -DisableBehaviorMonitoring $true ; Set-MpPreference -MAPSReporting 0 ; Set-MpPreference -ExclusionProcess rundll32.exe ; Set-MpPreference -ExclusionExtension dll" or $selection.target.process.command_line = "C:\\Windows\\System32\\netsh.exe advfirewall firewall add rule name=\"Rundll32\" dir=out action=allow protocol=any program=\"C:\\Windows\\system32\\rundll32.exe") or (($selection.target.process.file.full_path = "vssadmin.exe" or $selection.target.process.file.full_path = "sc.exe" or $selection.target.process.file.full_path = "net.exe" or $selection.target.process.file.full_path = "net1.exe" or $selection.target.process.file.full_path = "netsh.exe" or $selection.target.process.file.full_path = "cscript.exe" or $selection.target.process.file.full_path = "wscript.exe") and (re.regex($selection.target.process.command_line, `.*Delete Shadows /all /quiet.*`) or re.regex($selection.target.process.command_line, `.*resize shadowstorage.*`) or re.regex($selection.target.process.command_line, `.*stop NetBackup BMR MTFTP Service /y.*`) or re.regex($selection.target.process.command_line, `.*\.jse.*`) or re.regex($selection.target.process.command_line, `.*\.js.*`) or re.regex($selection.target.process.command_line, `.*\.zip.*`) or re.regex($selection.target.process.command_line, `.*stop BMR Boot Service /y.*`) or re.regex($selection.target.process.command_line, `.*stop avpsus /y.*`) or re.regex($selection.target.process.command_line, `.*sc stop WinDefend/y.*`) or re.regex($selection.target.process.command_line, `.*sc config WinDefend start= disabled /y.*`) or re.regex($selection.target.process.command_line, `.*config SQLTELEMETRY start= disabled.*`) or re.regex($selection.target.process.command_line, `.*config SQLWriter start= disabled.*`) or re.regex($selection.target.process.command_line, `.*config SstpSvc start= disabled.*`)))))
condition:
$selection
}wastedlocker_ransomware_hunting_defense_evasion
This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule wastedlocker_ransomware_hunting_defense_evasion {
meta:
author = "Ariel Millahuel"
description = "This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/kNavqYGJrev8"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "defense_evasion, T1027.004, T1070.001"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and ((($selection1.target.process.file.full_path = "cvtres.exe" and re.regex($selection1.target.process.command_line, `.*cvtres\.exe /NOLOGO /READONLY /MACHINE:.* /OUT:C:\\Users.*\\AppData\\Local\\Temp\\RESF8F4\.tmp c:\\Users.*\\AppData\\Local\\Temp\\h4bie4kg\\CSC81E10858D57A44649763EE5728D5E87\.TMP.*`)) or ($selection1.target.process.file.full_path = "PsExec.exe.exe" and re.regex($selection1.target.process.command_line, `PsExec\.exe -s .* cmd /c for /F tokens=.* %1 in \('wevtutil\.exe el'\) DO wevtutil\.exe cl %1`))) or ($selection1.target.process.file.full_path = "csc.exe" and re.regex($selection1.target.process.command_line, `csc\.exe /noconfig /fullpaths @C:\\Users.*\\AppData\\Local\\Temp\\h4bie4kg\\h4bie4kg\.cmdline`))))
condition:
$selection1
}win_pua_detection_of_uncommon_rmm
This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent remote access, execute malicious commands, or deploy additional payloads. This rule detects RMM software that is not commonly observed in the environment, indicating potential unauthorized access or lateral movement.
Show query
rule win_pua_detection_of_uncommon_rmm {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent remote access, execute malicious commands, or deploy additional payloads. This rule detects RMM software that is not commonly observed in the environment, indicating potential unauthorized access or lateral movement."
rule_id = "mr_f5681a0f-215f-4055-80c7-864ee39bcfb8"
rule_name = "Uncommon or Suspicious RMM Tool Execution Detected"
tactic = "TA0011"
technique = "T1219"
reference = "https://lolrmm.io/"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$rmm_tool.metadata.event_type = "PROCESS_LAUNCH"
(
// 247ithelp.com (ConnectWise) RMM
$rmm_tool.target.process.file.full_path = /\\Remote Workforce Client\.exe$/ nocase
) or
(
// Potential Acronic Cyber Protect (Remotix) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AcronisCyberProtectConnectAgent\.exe$/ nocase
) or
(
// Potential AeroAdmin RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\aeroadmin\.exe|\\AeroAdmin\.exe/ nocase
) or
(
// Potential Air Live Drive RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AirLiveDrive\.exe$/ nocase
) or
(
// Potential AliWangWang-remote-control RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\alitask\.exe$/ nocase
) or
(
// Potential Alpemix RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AlpemixService\.exe$/ nocase
) or
(
// Potential Any Support RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ManualLauncher\.exe$/ nocase
) or
(
// Potential Anyplace Control RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\apc_host\.exe$/ nocase
) or
(
// Potential aria2 RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\aria2c\.exe$/ nocase
) or
(
// Potential Atera RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AgentPackageNetworkDiscovery\.exe|\\AgentPackageTaskScheduler\.exe|\\AteraAgent\.exe|\\atera_agent\.exe|\\ateraagent\.exe/ nocase
) or
(
// Potential Auvik RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\auvik\.engine\.exe|\\auvik\.agent\.exe/ nocase
) or
(
// Potential Absolute (Computrace) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\rpcnet\.exe|\\ctes\.exe|\\ctespersitence\.exe|\\cteshostsvc\.exe|\\rpcld\.exe/ nocase
) or
(
// Potential Bluetrait MSP Agent Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\Bluetrait MSP Agent\.exe|\\BluetraitUserAgent\.exe|\\Bluetrait Agent\\libraries\\paexec\.exe/ nocase
) or
(
// Potential BeamYourScreen RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\beamyourscreen\.exe|\\beamyourscreen-host\.exe/ nocase
) or
(
// Potential Connectwise Automate (LabTech) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ltsvc\.exe|\\ltsvcmon\.exe|\\lttray\.exe/ nocase
) or
(
// Potential Duplicati RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\Duplicati\.Server\.exe$/ nocase
) or
(
// Potential FixMe.it RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\FixMeit Unattended Access Setup\.exe|\\TiExpertStandalone\.exe|\\FixMeit Client\.exe|\\FixMeit Expert Setup\.exe|\\TiExpertCore\.exe|\\TiClientCore\.exe/ nocase
) or
(
// Potential FleetDeck.io RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\fleetdeck_agent_svc\.exe|\\fleetdeck_commander_svc\.exe|\\fleetdeck_installer\.exe|\\fleetdeck_commander_launcher\.exe|\\fleetdeck_agent\.exe/ nocase
) or
(
// Potential Level.io RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\level-windows-amd64\.exe|\\level\.exe|\\level-remote-control-ffmpeg\.exe/ nocase
) or
(
// Potential NetSupport Manager RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\pcictlui\.exe|\\client32\.exe|\\pcicfgui\.exe/ nocase
) or
(
// Potential NinjaRMM RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ninjarmmagent\.exe|\\NinjaRMMAgent\.exe|\\NinjaRMMAgenPatcher\.exe|\\ninjarmm-cli\.exe/ nocase
) or
(
// Potential REMCOS RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\remcos/ nocase
) or
(
// Potential Rocket Remote Desktop RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\RocketRemoteDesktop_Setup\.exe$/ nocase
) or
(
// Potential Tactical RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\tacticalrmm\.exe$/ nocase
) or
(
// Potential TightVNC RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\tvnviewer\.exe|\\tvnserver\.exe/ nocase
) or
(
// Potential Zoho Assist RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\zaservice\.exe|\\ZA_Access\.exe|\\ZohoMeeting\.exe|\\Zohours\.exe|\\zohotray\.exe|\\ZohoURSService\.exe|\\Zaservice\.exe|\\za_connect\.exe|\\ZMAgent\.exe/ nocase
)
$rmm_tool.principal.hostname = $hostname
$rmm_tool.target.process.file.full_path = $image
$rmm_tool.extracted.fields["Company"] = $rmm_company_info
// Filter for known RMM Tools based on Customer Information
// not $rmm_tool.target.process.file.full_path in %known_rmm_tools nocase
match:
$hostname, $image, $rmm_company_info over 10m
outcome:
$risk_score = max(65)
$event_count = count_distinct($rmm_tool.metadata.id)
$principal_process_pid = array_distinct($rmm_tool.principal.process.pid)
$principal_process_command_line = array_distinct($rmm_tool.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($rmm_tool.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($rmm_tool.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($rmm_tool.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($rmm_tool.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($rmm_tool.target.process.pid)
$target_process_command_line = array_distinct($rmm_tool.target.process.command_line)
$target_process_file_sha256 = array_distinct($rmm_tool.target.process.file.sha256)
$target_process_file_full_path = array_distinct($rmm_tool.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($rmm_tool.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($rmm_tool.principal.user.userid)
condition:
$rmm_tool
}zoom_and_microsoft_malware_attacks_detection
What's more, the researchers said they detected malicious files with the name \"zoom-us-zoom_##########.exe,\" which when executed, installed potentially unwanted programs (PUPs) such as InstallCore, a dodgy bundleware application that's known to install other kinds of malware. Additionally, we have detected malicious files with names such as \"zoom-us-zoom_##########.exe\" and \"microsoft-teams_V#mu#D_##########.exe\" (# representing various digits). The running of these files leads to an installation of the infamous InstallCore PUA on the victim’s computer which could potentially lead to additional malicious software installation. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule zoom_and_microsoft_malware_attacks_detection {
meta:
author = "Furkan Celik"
description = "What's more, the researchers said they detected malicious files with the name \"zoom-us-zoom_##########.exe,\" which when executed, installed potentially unwanted programs (PUPs) such as InstallCore, a dodgy bundleware application that's known to install other kinds of malware. Additionally, we have detected malicious files with names such as \"zoom-us-zoom_##########.exe\" and \"microsoft-teams_V#mu#D_##########.exe\" (# representing various digits). The running of these files leads to an installation of the infamous InstallCore PUA on the victim’s computer which could potentially lead to additional malicious software installation. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/mWBMgIzlIIyd"
version = "0.01"
created = "2020/03/30"
product = "windows"
service = "security"
mitre = "T1486, impact"
events:
($selection.metadata.product_event_type = "4688" and (re.regex($selection.target.process.file.full_path, `zoom-us-zoom_.*\.exe`) or re.regex($selection.target.process.file.full_path, `microsoft-teams_V.*mu.*D_.*\.exe`)))
condition:
$selection
}A host is potentially running a hacking tool (ASIM Web Session schema)
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSessio
Show query
let threatCategory="Hacking Tool";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
ADFS DKM Master Key Export
'Identifies an export of the ADFS DKM Master Key from Active Directory.
References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/,
https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
https://github.com/Azure/Azure-Sentine
Show query
(union isfuzzy=true
(SecurityEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where ObjectServer == 'DS'
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
| extend timestamp = TimeGenerated, DeviceName = Computer
),
( WindowsEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed')
| extend ObjectServer = tostring(EventData.ObjectServer)
| where ObjectServer == 'DS'
| extend OperationType = tostring(EventData.OperationType)
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| extend ObjectType = tostring(EventData.ObjectType)
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| extend Properties = tostring(EventData.Properties)
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
| extend timestamp = TimeGenerated, DeviceName = Computer
),
(DeviceEvents
| where ActionType =~ "LdapSearch"
| where AdditionalFields.AttributeList contains "thumbnailPhoto"
| where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)
AV detections related to Dev-0530 actors
'This query looks for Microsoft Defender AV detections related to Dev-0530 actors.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
Show query
let Dev0530_threats = dynamic(["Trojan:Win32/SiennaPurple.A", "Ransom:Win32/SiennaBlue.A", "Ransom:Win32/SiennaBlue.B"]);
SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
| join kind=inner (DeviceInfo
| extend DeviceName = tolower(DeviceName)
) on $left.CompromisedEntity == $right.DeviceName
| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
AV detections related to Europium actors
'This query looks for Microsoft Defender AV detections related to Europium actor.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-ag
Show query
let Europium_threats = dynamic(["TrojanDropper:ASP/WebShell!MSR", "Trojan:Win32/BatRunGoXml", "DoS:Win64/WprJooblash", "Ransom:Win32/Eagle!MSR", "Trojan:Win32/Debitom.A"]); DeviceInfo | extend DeviceName = tolower(DeviceName) | join kind=inner ( SecurityAlert | where ProviderName == "MDATP" | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName) | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName) | where ThreatName in~ (Europium_threats) or ThreatFamilyName in~ (Europium_threats) | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities | extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.')) | extend HostNameDomain = iff(CompromisedEntity != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
AV detections related to Hive Ransomware
'This query looks for Microsoft Defender AV detections related to Hive Ransomware.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
Show query
let Hive_threats = dynamic(["Ransom:Win64/Hive", "Ransom:Win32/Hive"]); DeviceInfo | extend DeviceName = tolower(DeviceName) | join kind=inner ( SecurityAlert | where ProviderName == "MDATP" | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName) | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName) | where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats) | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity | summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities | extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity) | project-away DomainIndex
Account created from non-approved sources
'This query looks for an account being created from a domain that is not regularly seen in a tenant.
Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.
Created accounts should be investigated to confirm expected creation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts'
Show query
let core_domains = (SigninLogs | where TimeGenerated > ago(7d) | where ResultType == 0 | extend domain = tolower(split(UserPrincipalName, "@")[1]) | summarize by tostring(domain)); let alternative_domains = (SigninLogs | where TimeGenerated > ago(7d) | where isnotempty(AlternateSignInName) | where ResultType == 0 | extend domain = tolower(split(AlternateSignInName, "@")[1]) | summarize by tostring(domain)); AuditLogs | where TimeGenerated > ago(1d) | where OperationName =~ "Add User" | extend InitiatingAppName = tostring(InitiatedBy.app.displayName) | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | extend UserAdded = tostring(TargetResources[0].userPrincipalName) | extend UserAddedDomain = case( UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[1]), UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[1]), UserAdded) | where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains) | extend AddedByName = case( InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[0]), InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingUserPrincipalName) | extend AddedByUPNSuffix = case( InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[1]), InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[1]), InitiatingUserPrincipalName) | extend UserAddedName = case( UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[0]), UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[0]), UserAdded)
Addition of a Temporary Access Pass to a Privileged Account
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
Review any TAP creations to ensure they wer
Show query
let admin_users = (IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles contains "admin" | summarize by tolower(AccountUPN)); AuditLogs | where OperationName =~ "Admin registered security info" | where ResultReason =~ "Admin registered temporary access pass method for user" | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) | where tolower(TargetUserPrincipalName) in (admin_users) | extend TargetAadUserId = tostring(TargetResources[0].id) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1]) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
AdminSDHolder Modifications
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence.
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.
This query searches for the event id 5136 where the Object DN is AdminSDHolder.
Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
Show query
SecurityEvent | where EventID == 5136 and EventData contains "<Data Name=\"ObjectDN\">CN=AdminSDHolder,CN=System" | parse EventData with * 'ObjectDN">' ObjectDN "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) | extend Name = tostring(split(SubjectAccount, "\\")[1]), NTDomain = tostring(split(SubjectAccount, "\\")[0])
Anomalous Single Factor Signin
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
Show query
let known_locations = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | extend LocationDetail = strcat(Location, "-", LocationDetails.state) | summarize by LocationDetail); let known_asn = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | summarize by AutonomousSystemNumber); SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where isempty(DeviceDetail.deviceId) | where AuthenticationRequirement == "singleFactorAuthentication" | extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail) | extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state) | extend LocationDetail = strcat(Location, "-", State) | extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser) | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations) | project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
Anomalous User Agent connection attempt
'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
Show query
let short_uaLength = 5;
let long_uaLength = 1000;
let c_threshold = 100;
W3CIISLog
// Exclude local IPs as these create noise
| where cIP !startswith "192.168." and cIP != "::1"
| where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
| extend csUserAgent_size = string_size(csUserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
| where ConnectionCount < c_threshold
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])
Anomalous login followed by Teams action
'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.
Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.
To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges).
Please note, if the initial logic of prevalence to find su
Show query
//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.
//The minimum number of countries that the account has been accessed from [default: 2]
let minimumCountries = 2;
//The delta (%) between the largest in-use IP and the smallest [default: 95]
let deltaThreshold = 95;
//The maximum (%) threshold that the country appears in login data [default: 10]
let countryPrevalenceThreshold = 10;
//The time to project forward after the last login activity [default: 60min]
let projectedEndTime = 60m;
let queryfrequency = 1d;
let queryperiod = 14d;
let aadFunc = (tableName: string) {
// Get successful signins to Teams
let signinData =
table(tableName)
| where TimeGenerated > ago(queryperiod)
| where AppDisplayName has "Teams" and ConditionalAccessStatus =~ "success"
| extend Country = tostring(todynamic(LocationDetails)['countryOrRegion'])
| where isnotempty(Country) and isnotempty(IPAddress);
// Calculate prevalence of countries
let countryPrevalence =
signinData
| summarize CountCountrySignin = count() by Country
| extend TotalSignin = toscalar(signinData | summarize count())
| extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;
// Count signins by user and IP address
let userIpSignin =
signinData
| summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;
// Calculate delta between the IP addresses with the most and minimum activity by user
let userIpDelta =
userIpSignin
| summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName
| extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;
// Collect Team operations the user account has performed within a time range of the suspicious signins
OfficeActivity
| where TimeGenerated > ago(queryfrequency)
| where Operation in~ ("TeamsAdminAction", "MemberAdded", "MemberRemoved", "MemberRoleChanged", "AppInstalled", "BotAddedToTeam")
| where not (Operation in~ ("MemberAdded", "MemberRemoved") and CommunicationType in~ ("GroupChat", "OneonOne")) // These events have been noisy and are related to initiaing chat conversation and not admin operations.
| project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation
| join kind = inner(
userIpDelta
// Check users with activity from distinct countries
| where DistinctCountries >= minimumCountries
// Check users with high IP delta
| where UserIPDelta >= deltaThreshold
// Add information about signins and countries
| join kind = leftouter userIpSignin on UserPrincipalName
| join kind = leftouter countryPrevalence on Country
// Check activity that comes from nonprevalent countries
| where CountryPrevalence < countryPrevalenceThreshold
| project
UserPrincipalName,
SuspiciousIP = IPAddress,
UserIPDelta,
SuspiciousSigninCountry = Country,
SuspiciousCountryPrevalence = CountryPrevalence,
EventTimes = ListSigninTimeGenerated
) on $left.UserId == $right.UserPrincipalName
// Check the signins occured 60 min before the Teams operations
| mv-expand SigninTimeGenerated = EventTimes
| extend SigninTimeGenerated = todatetime(SigninTimeGenerated)
| where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated
| summarize
ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack("Operation", tostring(Operation), "OperationTime", OperationTimeGenerated)))
by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
Anomaly Sign In Event from an IP
'Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts'
Show query
let LookBack = 1h; let Data = ( SigninLogs | where TimeGenerated >= ago(LookBack) | where parse_json(NetworkLocationDetails)[0].networkType != "trustedNamedLocation" // Excludes known tagged networks // Counts the number of sign in events in the last hour every 15 minutes by IP | make-series EventCounts = count() on TimeGenerated from ago(LookBack) to now() step 15m by IPAddress ); let AnomalyAlert = ( Data | extend (Anomalies, Score, Baseline) = series_decompose_anomalies(EventCounts,1.5,-1,'linefit') | mv-expand EventCounts,TimeGenerated,Anomalies to typeof(double),Baseline to typeof(long),Score to typeof(double) | where Anomalies > 0 ); AnomalyAlert | join kind = inner (SigninLogs | where TimeGenerated between (ago(LookBack) .. now()) | where parse_json(NetworkLocationDetails)[0].networkType != "trustedNamedLocation" | extend PasswordResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail) | summarize UserCount = dcount(UserPrincipalName), UserList = make_set(UserPrincipalName), AppName = make_set(AppDisplayName), PasswordResult = make_list(PasswordResult) by IPAddress) on IPAddress | where PasswordResult has "Correct Password" | where UserCount > 1 // looks for events targeting more than one user.
Application ID URI Changed
'Detects changes to an Application ID URI.
Monitor these changes to make sure that they were authorized.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed'
Show query
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName has_any ("Update Application", "Update Service principal")
| where TargetResources has "AppIdentifierUri"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend mod_props = TargetResources[0].modifiedProperties
| extend TargetAppName = tostring(TargetResources[0].displayName)
| mv-expand mod_props
| where mod_props.displayName has "AppIdentifierUri"
| extend OldURI = tostring(mod_props.oldValue)
| extend NewURI = tostring(mod_props.newValue)
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress
Application Redirect URL Update
'Detects the redirect URL of an app being changed.
Applications associated with URLs not controlled by the organization can pose a security risk.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes'
Show query
AuditLogs
| where Category =~ "ApplicationManagement"
| where Result =~ "success"
| where OperationName =~ 'Update Application'
| where TargetResources has "AppAddress"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName =~ "AppAddress"
| extend Key = tostring(TargetResources_modifiedProperties.displayName)
| extend NewValue = TargetResources_modifiedProperties.newValue
| extend OldValue = TargetResources_modifiedProperties.oldValue
| where isnotempty(Key) and isnotempty(NewValue)
| project-reorder Key, NewValue, OldValue
| extend NewUrls = extract_all('"Address":([^,]*)', tostring(NewValue))
| extend OldUrls = extract_all('"Address":([^,]*)', tostring(OldValue))
| extend AddedUrls = set_difference(NewUrls, OldUrls)
| where array_length(AddedUrls) > 0
| extend UserAgent = iif(tostring(AdditionalDetails[0].key) == "User-Agent", tostring(AdditionalDetails[0].value), "")
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend AddedBy = iif(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)
| extend TargetAppName = tostring(TargetResources.displayName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, TargetAppName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, AddedUrls, AddedBy, UserAgent
Authentication Attempt from New Country
Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days.
Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-a
Show query
let CombinedSignInLogs = union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs;
// Combine AADNonInteractiveUserSignInLogs and SigninLogs into a single table
// Fetch Azure IP address ranges data from a JSON file hosted on GitHub
let AzureRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)
["https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json"] with(format='multijson')
// Load Azure IP address ranges from the JSON file hosted on GitHub
| mv-expand values
// Expand the values column into separate rows
| extend Name = values.name, AddressPrefixes = tostring(values.properties.addressPrefixes);
// Create additional columns for the name and address prefixes
// Identify known locations to be excluded from analysis
let ExcludedKnownLocations = CombinedSignInLogs
// Filter the combined logs based on the specified time range
| where TimeGenerated between (ago(14d)..ago(1d))
// Filter by specific ResultType
| where ResultType == 0
// Summarize the logs by location
| summarize by Location;
// Find sign-in locations matching specific criteria
let MatchedLocations = materialize(CombinedSignInLogs
// Filter the combined logs based on the specified time range
| where TimeGenerated > ago(1d)
// Exclude specific ResultTypes
| where ResultType !in (50126, 50053, 50074, 70044)
// Exclude known locations
| where Location !in (ExcludedKnownLocations));
// Match IP addresses of matched locations with Azure IP address ranges
let MatchedIPs = MatchedLocations
// Use the 'ipv4_lookup' function to match IP addresses with Azure IP address ranges
| evaluate ipv4_lookup(AzureRanges, IPAddress, AddressPrefixes)
// Project only the IPAddress column
| project IPAddress;
// Exclude IP addresses that are already matched with Azure IP address ranges
let MaxSetSize = 5; // Set the maximum size limit for make_set
let ExcludedIPs = MatchedLocations
// Filter out IP addresses that are already matched
| where not (IPAddress in (MatchedIPs))
// Exclude empty or null Location values
| where isnotempty(Location)
// Handle dynamic and string column values for LocationDetails and DeviceDetail
| extend LocationDetails_dynamic = column_ifexists("LocationDetails_dynamic", "")
| extend DeviceDetail_dynamic = column_ifexists("DeviceDetail_dynamic", "")
| extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))
| extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))
// Extract location details (city and state)
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend Place = strcat(City, " - ", State)
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend Result = strcat(tostring(ResultType), " - ", ResultDescription)
// Summarize the data based on UserPrincipalName, Location, and Category
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated),
make_set(Result, MaxSetSize), make_set(IPAddress, MaxSetSize),
make_set(UserAgent, MaxSetSize), make_set(Place, MaxSetSize),
make_set(DeviceId, MaxSetSize) by UserPrincipalName, Location, Category
// Extract the username prefix and suffix from UserPrincipalName
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]);
ExcludedIPs // Output the final result set
| extend IP = set_IPAddress[0]
Authentications of Privileged Accounts Outside of Expected Controls
'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.
Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure
Show query
let admin_users = (IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles contains "admin" | summarize by tolower(AccountUPN)); let admin_asn = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | summarize by AutonomousSystemNumber); let admin_locations = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | summarize by Location); let admin_devices = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | extend deviceId = tostring(DeviceDetail.deviceId) | where isnotempty(deviceId) | summarize by deviceId); SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where tolower(UserPrincipalName) in (admin_users) | extend deviceId = tostring(DeviceDetail.deviceId) | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)
Base64 encoded Windows process command-lines (Normalized Process Events)
'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
Show query
imProcessCreate | where CommandLine contains "TVqQAAMAAAAEAAA" | where isnotempty(Process) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) | project-away DomainIndex
Changes to Application Logout URL
'Detects changes to an applications sign out URL.
Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed'
Show query
AuditLogs
| where Category =~ "ApplicationManagement"
| where OperationName has_any ("Update Application", "Update Service principal")
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend mod_props = TargetResources[0].modifiedProperties
| mv-expand mod_props
| extend Action = tostring(mod_props.displayName)
| where Action contains "Url"
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend OldURL = tostring(mod_props.oldValue)
| extend NewURL = tostring(mod_props.newValue)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, UpdatedBy
Changes to Application Ownership
'Detects changes to the ownership of an appplicaiton.
Monitor these changes to make sure that they were authorized.
Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner'
Show query
AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add owner to application" | extend InitiatingAppName = tostring(InitiatedBy.app.displayName) | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend TargetUserPrincipalName = TargetResources[0].userPrincipalName | extend TargetAadUserId = tostring(TargetResources[0].id) | extend mod_props = TargetResources[0].modifiedProperties | mv-expand mod_props | where mod_props.displayName =~ "Application.DisplayName" | extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue))) | extend AddedUser = TargetUserPrincipalName | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy
Changes to PIM Settings
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
Show query
AuditLogs | where Category =~ "RoleManagement" | where OperationName =~ "Update role setting in PIM" | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix
Cisco - firewall block but success logon to Microsoft Entra ID
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.
Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.'
Show query
let aadFunc = (tableName:string){
CommonSecurityLog
| where DeviceVendor =~ "Cisco"
| where DeviceAction =~ "denied"
| where ipv4_is_private(SourceIP) == false
| summarize count() by SourceIP
| join (
// Successful signins from IPs blocked by the firewall solution are suspect
// Include fully successful sign-ins, but also ones that failed only at MFA stage
// as that supposes the password was sucessfully guessed.
table(tableName)
| where ResultType in ("0", "50074", "50076")
) on $left.SourceIP == $right.IPAddress
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
Conditional Access Policy Modified by New User
'Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.
A threat actor may try to modify policies to weaken the security controls in place.
Investigate any change to ensure they are approved.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access'
Show query
let known_users = (AuditLogs | where TimeGenerated between(ago(14d)..ago(1d)) | where OperationName has "conditional access policy" | where Result =~ "success" | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | summarize by InitiatingUserPrincipalName); AuditLogs | where TimeGenerated > ago(1d) | where OperationName has "conditional access policy" | where Result =~ "success" | extend InitiatingAppName = tostring(InitiatedBy.app.displayName) | extend InitiatingAppId = tostring(InitiatedBy.app.appId) | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend CAPolicyName = tostring(TargetResources[0].displayName) | where InitiatingUserPrincipalName !in (known_users) | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, OperationName, CAPolicyName, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, NewPolicyValues, OldPolicyValues
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.
Ensure this impossible travel incident with increase of privileges is legitimate in your environment.'
Show query
SecurityAlert
| where AlertName == "Impossible travel activity"
| extend Extprop = parsejson(Entities)
| mv-expand Extprop
| extend Extprop = parsejson(Extprop)
| extend CmdLine = iff(Extprop['Type']=="process", Extprop['CommandLine'], '')
| extend File = iff(Extprop['Type']=="file", Extprop['Name'], '')
| extend Account = Extprop['Name']
| extend Domain = Extprop['UPNSuffix']
| extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
| extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
| extend Process = iff(isnotempty(CmdLine), CmdLine, File)
| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId
| join kind=inner
(
OfficeActivity
| where Operation =~ "Add-MailboxPermission"
| extend value = tostring(parse_json(Parameters)[3].Value)
| where value contains "FullAccess"
| where ResultStatus == "True"
| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId
) on $left.Account == $right.UserId
| join kind=inner
(
AuditLogs
| where ActivityDisplayName =~ "Add eligible member to role in PIM requested (timebound)"
| where AADOperationType =~ "CreateRequestEligibleRole"
| where TargetResources has_any ("-PRIV", "Administrator", "Security")
| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))
| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))
| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))
| extend Initiatedby = Identity
| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id
| sort by TimeGenerated desc
) on $left.UserId == $right.Initiatedby
| extend AccountName = tostring(split(Initiatedby, "@")[0]), AccountUPNSuffix = tostring(split(Initiatedby, "@")[1])
| project AADOperationType, ActivityDisplayName,AccountName, AccountUPNSuffix, Id,ResourceId,IpAddress
Dev-0530 File Extension Rename
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'
Show query
union isfuzzy=true
(DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
DeviceName,
Type,
InitiatingProcessId,
FileName,
FolderPath,
EventType = ActionType,
Commandline = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessSHA256,
FileHashCustomEntity = SHA256,
AlgorithmCustomEntity = "SHA256"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
),
(imFileEvent
| where EventType == "FileCreated"
| where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
ActorUsername,
DvcHostname,
DvcDomain,
DvcId,
Type,
EventType,
FileHashCustomEntity = TargetFileSHA256,
Hash,
TargetFilePath,
Commandline = ActingProcessCommandLine,
AlgorithmCustomEntity = "SHA256"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = DvcHostname, HostNameDomain = DvcDomain
| extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
)
Discord CDN Risky File Download (ASIM Web Session Schema)
'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment.
Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in
Show query
let discord=dynamic(["cdn.discordapp.com", "media.discordapp.com"]);
_Im_WebSession(url_has_any=discord, eventresult='Success')
| where Url has "attachments"
| extend DiscordServerId = extract(@"\/attachments\/([0-9]+)\/", 1, Url)
| summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId
| mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)
| summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url
| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url
| where RequestURL has_any (".bin",".exe",".dll",".bin",".msi")
| extend AccountName = tostring(split(SourceUser, "@")[0]), AccountUPNSuffix = tostring(split(SourceUser, "@")[1])
Email access via active sync
This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.
This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.
- Note that this query can be changed to use the KQL "has_all" operator, which hasn't yet been documented officially, but will be soon.
In short, "has_all" will only match when the referenced field has all strings in the list.
- Refer to S
Show query
let timeframe = 1d; let cmdList = dynamic(["Set-CASMailbox","ActiveSyncAllowedDeviceIDs","add"]); (union isfuzzy=true ( SecurityEvent | where TimeGenerated >= ago(timeframe) | where EventID == 4688 | where CommandLine has_all (cmdList) | project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine | extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer ), ( WindowsEvent | where TimeGenerated >= ago(timeframe) | where EventID == 4688 | where EventData has_all (cmdList) | extend CommandLine = tostring(EventData.CommandLine) | where CommandLine has_all (cmdList) | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName)) | extend SubjectUserName = tostring(EventData.SubjectUserName) | extend SubjectDomainName = tostring(EventData.SubjectDomainName) | extend NewProcessName = tostring(EventData.NewProcessName) | extend Process=tostring(split(NewProcessName, '\\')[-1]) | extend ParentProcessName = tostring(EventData.ParentProcessName) | project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine | extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer ), ( DeviceProcessEvents | where TimeGenerated >= ago(timeframe) | where InitiatingProcessCommandLine has_all (cmdList) | project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine | extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, HostEntity = DeviceName ), ( Event | where TimeGenerated > ago(timeframe) | where Source == "Microsoft-Windows-Sysmon" | where EventID == 1 | extend EventData = parse_xml(EventData).DataItem.EventData.Data | mv-expand bagexpansion=array EventData | evaluate bag_unpack(EventData) | extend Key=tostring(['@Name']), Value=['#text'] | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId) | where TimeGenerated >= ago(timeframe) | where CommandLine has_all (cmdList) | extend Type = strcat(Type, ": ", Source) | project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine | extend timestamp = TimeGenerated, AccountEntity = User, HostEntity = Computer ) ) | extend HostName = tostring(split(HostEntity, ".")[0]), DomainIndex = toint(indexof(HostEntity, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity) | extend AccountName = tostring(split(AccountEntity, @'\')[1]), AccountDomain = tostring(split(AccountEntity, @'\')[0])
Showing 201-250 of 1,106