Tool
Hunt pack: Akira
778 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Akira - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 778Auditd Login from Forbidden Location
Identifies that a login attempt has happened from a forbidden location.
CyberArk Privileged Access Security Error
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code
correlates to the CyberArk Vault Audit Action Code.
Deprecated - AWS Root Login Without MFA
Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best
practices indicate that the root user should be protected by MFA.
Deprecated - Agent Spoofing - Mismatched Agent ID
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
First-Time FortiGate Administrator Login
This rule detects the first observed successful login of a user with the Administrator role to the FortiGate management
interface within the last 5 days. First-time administrator logins can indicate newly provisioned accounts,
misconfigurations, or unauthorized access using valid credentials and should be reviewed promptly.
FortiGate Administrator Login from Multiple IP Addresses
This rule detects successful logins to the FortiGate management interface using the same Administrator account from
multiple distinct source IP addresses within an 24-hour period. Administrator logins from multiple locations in a short
time window may indicate credential sharing, compromised credentials, or unauthorized access and should be investigated.
M365 or Entra ID Identity Sign-in from a Suspicious Source
This rule correlate Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address.
Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud
resources.
Potential File Download via a Headless Browser
Identifies headless browser execution from a suspicious parent process with arguments consistent with scripted retrieval. Adversaries use browsers because they are trusted, signed binaries that proxy and application-control policies allow through, bypassing restrictions on direct download tools.
Potential Process Herpaderping Attempt
Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate
an evasion attempt to execute malicious code in a stealthy way.
Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)
Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost
Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a `GET /`
request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an
`Authorization: Basic` header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd
to respond with a 3xx redirect whose `Location` header leaks a `/cpsessNNNNNNNNNN` token granting the attacker a
privileged session. This is the network-layer equivalent of the cPanel `access_log` artifact identified by Unfold and
watchTowr as the first bulletproof detection for this CVE: a `GET /` recorded with `auth_method=b` (HTTP Basic).
Legitimate access to `GET /` on a WHM admin port returns 200 with the login screen and never includes HTTP Basic
credentials, so this combination is not produced by normal use.
AWS Bedrock Foundation Model Access Enabled or Entitlement Granted
Identifies when access to an Amazon Bedrock foundation model is enabled at the account level, either by granting a
foundation-model entitlement, submitting a use case for model access, or creating a foundation-model agreement
(accepting the EULA). These account-level "model access" actions unlock a foundation model so that it can subsequently
be invoked. Adversaries or a compromised principal may enable model access to abuse expensive models (LLMjacking), to
establish a durable ability to invoke models within the account, or to bypass organizational controls. This activity is
distinct from changes to a resource-based model invocation policy and is identified by the Bedrock control-plane API
calls that grant model entitlements and agreements.
AWS Bedrock Resource-Based Policy Modified or Deleted
Detects modification or deletion of resource-based access policies on AWS Bedrock resources via the PutResourcePolicy
and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may
access Bedrock resources such as agents, knowledge bases, and custom models. An adversary may attach a resource policy
granting an external or unexpected principal access to a Bedrock resource to establish persistence or enable
cross-account access, or may delete an existing policy to weaken access controls. These changes should be validated for
principal ownership and least-privilege intent.
Active Directory Group Modification by SYSTEM
Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate
that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting
vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain
account.
Auditd Login Attempt at Forbidden Time
Identifies that a login attempt occurred at a forbidden time.
Auditd Max Failed Login Attempts
Identifies that the maximum number of failed login attempts has been reached for a user.
Auditd Max Login Sessions
Identifies that the maximum number login sessions has been reached for a user.
Curl or Wget Execution from Container Context
Detects execution of curl or wget from processes whose title aligns with **`runc init`**, a common fingerprint
for workloads running inside **OCI/runc-backed containers** on Linux hosts instrumented with Auditd Manager.
After breaking out of an application container or abusing a privileged workload, attackers often pull ingress tooling
(stagers, scripts, implants) or stage exfiltration with minimal HTTP clients. Those utilities are also used
benignly in images, so context matters; the `runc init` anchor narrows the signal to the container runtime boundary
where unexpected download clients are more worthy of review than the same binaries on a bare-metal admin shell.
Deprecated - Potential curl CVE-2023-38545 Exploitation
Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction
with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow
during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be
executed with and without the use of environment variables. For increased visibility, enable the collection of
http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of
this rule.
FortiGate SOCKS Traffic from an Unusual Process
This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.
FortiGate SSL VPN Login Followed by SIEM Alert by User
Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a
short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise
used from a VPN session, or initial access via VPN followed by post-compromise behavior.
Google Workspace API Access Granted via Domain-Wide Delegation
Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be
configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may
configure domain-wide delegation to maintain access to their target’s data.
Google Workspace Role Modified
Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order
to elevate the permissions of other user accounts and persist in their target’s environment.
Kubernetes Exposed Service Created With Type NodePort
This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to
externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster
that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod
through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept
traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers
within a cluster. This creates a direct method of communication between the cluster and the outside world, which could
be used for more malicious behavior and certainly widens the attack surface of your cluster.
Linux User Account Credential Modification
This rule detects Linux user account credential modification events where the echo command is
used to directly echo a password into the passwd or shadow utilities. This technique is used by
malware to automate the process of user account credential modification on Linux systems post-infection.
PANW and Elastic Defend - Command and Control Correlation
This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
the source process performing the network activity.
Potential Account Takeover - Logon from New Source IP
Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different
source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover
or use of stolen credentials from a new location.
Potential Account Takeover - Mixed Logon Types
Identifies a user account (often a service account) that normally logs in with high volume using one logon type
suddenly showing successful logons using a different logon type with low count. This pattern may indicate account
takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service
was expected).
Remote File Download via Desktopimgdownldr Utility
Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to
download arbitrary files as an alternative to certutil.
Remote File Download via MpCmdRun
Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining
initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for
adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be
atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
Suspicious Activity Reported by Okta User
Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
help security teams identify when an adversary is attempting to gain access to their network.
Unusual Parent Process for cmd.exe
Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.
AWS Bedrock Unauthorized Foundation Model Access Attempt
Identifies failed, access-denied attempts to enable account-level access to an Amazon Bedrock foundation model, either
by granting a foundation-model entitlement, submitting a use case for model access, or creating a foundation-model
agreement (accepting the EULA). These account-level "model access" actions unlock a foundation model so that it can
subsequently be invoked. A principal that is repeatedly denied when attempting these actions may be a compromised or
under-privileged identity probing for the ability to unlock expensive models (LLMjacking) or to establish a durable
ability to invoke models. Unlike the companion rule that detects successful model-access grants, this rule surfaces the
attempt itself, which is a high-signal indicator of credential boundary-testing even though access was not granted.
AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt
Detects failed, access-denied attempts to modify or delete resource-based access policies on AWS Bedrock resources via
the PutResourcePolicy and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including
external accounts) may access Bedrock resources such as agents, knowledge bases, and custom models. A principal that is
repeatedly denied when attempting to attach or remove these policies may be a compromised or under-privileged identity
probing for the ability to grant external or cross-account access, or to weaken existing access controls. Unlike the
companion rule that detects successful changes, this rule surfaces the attempt itself, which is a high-signal indicator
of credential boundary-testing even though no change occurred.
Azure Automation Account Created
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
persistence in their target's environment.
File and Directory Discovery
Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan
follow-on activity.
Kubernetes Unusual Decision by User Agent
This rule detects unusual request responses in Kubernetes audit logs through the use of the
"new_terms" rule type. In production environments, default API requests are typically made by
system components or trusted users, who are expected to have a consistent user agent and
allowed response annotations. By monitoring for anomalies in the username and response
annotations, this rule helps identify potential unauthorized access or misconfigurations
in the Kubernetes environment.
Potential Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS
attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side
script. This detection rule identifies the potential malicious executions of such browser-side scripts.
Process Discovery via Tasklist
Adversaries may attempt to get information about running processes on a system.
System Information Discovery via dmidecode from Parent Shell
This rule detects the use of dmidecode to gather system information from a Linux host when executed from a parent
shell process. Adversaries may use dmidecode to collect detailed hardware and system information, which can aid in
further exploitation or lateral movement within a network, or be used as a fingerprint for a compromised system.
User Discovery via Whoami
The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for
privileged access.
A client made a web request to a potentially harmful file (ASIM Web Session schema)
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
Show query
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
| extend Extension=column_ifexists("Extension", "")
| where isnotempty(Extension)
| summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
EventCount=count()
by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
'This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br>
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
Show query
let threatCategory="Powershell";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
A host is potentially running a hacking tool (ASIM Web Session schema)
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSessio
Show query
let threatCategory="Hacking Tool";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
AD account with Don't Expire Password
'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected.
This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.
%%2089 resolves to "Don't Expire Password - Enabled".'
Show query
union isfuzzy=true
(
SecurityEvent
| where EventID == 4738
// 2089 value indicates the Don't Expire Password value has been set
| where UserAccountControl has "%%2089"
| extend Value_2089 = iff(UserAccountControl has "%%2089","'Don't Expire Password' - Enabled", "Not Changed")
// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.
| extend Value_2050 = iff(UserAccountControl has "%%2050","'Password Not Required' - Disabled", "Not Changed")
// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.
| extend Value_2082 = iff(UserAccountControl has "%%2082","'Password Not Required' - Enabled", "Not Changed")
| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid,
AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid
),
(
WindowsEvent
| where EventID == 4738 and EventData has '2089'
// 2089 value indicates the Don't Expire Password value has been set
| extend UserAccountControl = tostring(EventData.UserAccountControl)
| where UserAccountControl has "%%2089"
| extend Value_2089 = iff(UserAccountControl has "%%2089","'Don't Expire Password' - Enabled", "Not Changed")
// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.
| extend Value_2050 = iff(UserAccountControl has "%%2050","'Password Not Required' - Disabled", "Not Changed")
// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.
| extend Value_2082 = iff(UserAccountControl has "%%2082","'Password Not Required' - Enabled", "Not Changed")
| extend Activity="4738 - A user account was changed."
| extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend TargetSid = tostring(EventData.TargetSid)
| extend SubjectAccount = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend SubjectUserSid = tostring(EventData.SubjectUserSid)
| extend AccountType=case(SubjectAccount endswith "$" or SubjectUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(SubjectUserSid), "", "User")
| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), TargetSid,
AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName), SubjectUserSid = tostring(EventData.SubjectUserSid)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
ADFS DKM Master Key Export
'Identifies an export of the ADFS DKM Master Key from Active Directory.
References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/,
https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
https://github.com/Azure/Azure-Sentine
Show query
(union isfuzzy=true
(SecurityEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where ObjectServer == 'DS'
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
| extend timestamp = TimeGenerated, DeviceName = Computer
),
( WindowsEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed')
| extend ObjectServer = tostring(EventData.ObjectServer)
| where ObjectServer == 'DS'
| extend OperationType = tostring(EventData.OperationType)
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| extend ObjectType = tostring(EventData.ObjectType)
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| extend Properties = tostring(EventData.Properties)
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
| extend timestamp = TimeGenerated, DeviceName = Computer
),
(DeviceEvents
| where ActionType =~ "LdapSearch"
| where AdditionalFields.AttributeList contains "thumbnailPhoto"
| where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)
Account added and removed from privileged groups
'Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.'
Show query
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$";
let AC_Add =
(union isfuzzy=true
(SecurityEvent
// Event ID related to member addition.
| where EventID in (4728, 4732,4756)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData with * '"MemberName">' * '=' AccountAdded ",OU" *
| where isnotempty(AccountAdded)
| extend GroupAddedTo = TargetUserName, AddingAccount = Account
| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )
| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated
),
(WindowsEvent
// Event ID related to member addition.
| where EventID in (4728, 4732,4756)
| extend TargetSid = tostring(EventData.TargetSid)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData.MemberName with * '"MemberName">' * '=' AccountAdded ",OU" *
| where isnotempty(AccountAdded)
| extend TargetUserName = tostring(EventData.TargetUserName)
| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend GroupAddedTo = TargetUserName
| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )
| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated
)
);
let AC_Remove =
( union isfuzzy=true
(SecurityEvent
// Event IDs related to member removal.
| where EventID in (4729,4733,4757)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData with * '"MemberName">' * '=' AccountRemoved ",OU" *
| where isnotempty(AccountRemoved)
| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account
| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
RemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
),
(WindowsEvent
// Event IDs related to member removal.
| where EventID in (4729,4733,4757)
| extend TargetSid = tostring(EventData.TargetSid)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData.MemberName with * '"MemberName">' * '=' AccountRemoved ",OU" *
| where isnotempty(AccountRemoved)
| extend TargetUserName = tostring(EventData.TargetUserName)
| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend GroupRemovedFrom = TargetUserName
| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
| extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)
| extend TargetDomainName = tostring(EventData.TargetDomainName)
| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
RemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
));
AC_Add
| join kind = inner AC_Remove
on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount
| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)
| where DurationinSecondAfter_Removed > 0
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend RemovedAccountName = tostring(split(AccountRemoved, @"\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @"\")[0])
| extend RemovingAccountName = tostring(split(RemovingAccount, @"\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @"\")[0])
| project-away DomainIndex
Addition of a Temporary Access Pass to a Privileged Account
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
Review any TAP creations to ensure they wer
Show query
let admin_users = (IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles contains "admin" | summarize by tolower(AccountUPN)); AuditLogs | where OperationName =~ "Admin registered security info" | where ResultReason =~ "Admin registered temporary access pass method for user" | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) | where tolower(TargetUserPrincipalName) in (admin_users) | extend TargetAadUserId = tostring(TargetResources[0].id) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1]) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
AdminSDHolder Modifications
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence.
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.
This query searches for the event id 5136 where the Object DN is AdminSDHolder.
Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
Show query
SecurityEvent | where EventID == 5136 and EventData contains "<Data Name=\"ObjectDN\">CN=AdminSDHolder,CN=System" | parse EventData with * 'ObjectDN">' ObjectDN "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) | extend Name = tostring(split(SubjectAccount, "\\")[1]), NTDomain = tostring(split(SubjectAccount, "\\")[0])
Anomalous Single Factor Signin
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
Show query
let known_locations = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | extend LocationDetail = strcat(Location, "-", LocationDetails.state) | summarize by LocationDetail); let known_asn = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | summarize by AutonomousSystemNumber); SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where isempty(DeviceDetail.deviceId) | where AuthenticationRequirement == "singleFactorAuthentication" | extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail) | extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state) | extend LocationDetail = strcat(Location, "-", State) | extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser) | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations) | project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
Showing 1-50 of 778