Tool
Hunt pack: INC Ransom
1,177 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to INC Ransom - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,177mitre_attack_T1053_005_windows_creation_of_scheduled_task
Creation of scheduled task using command line
Show query
rule mitre_attack_T1053_005_windows_creation_of_scheduled_task {
meta:
author = "Google Cloud Security"
description = "Creation of scheduled task using command line"
rule_id = "mr_14beda0b-8ef1-4805-a227-df9d8bbc6804"
rule_name = "MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task"
tactic = "TA0002"
technique = "T1053.005"
type = "alert"
platform = "Windows"
data_source = "sentinelone"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
re.regex($process.principal.process.command_line, `schtasks.*/create`) nocase
match:
$hostname over 5m
outcome:
$risk_score = 15
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}mitre_attack_T1140_encoded_powershell_command
Detects encoded powershell commands
Show query
rule mitre_attack_T1140_encoded_powershell_command {
meta:
author = "Google Cloud Security"
description = "Detects encoded powershell commands"
rule_id = "mr_c01d7d92-db49-4044-a2c5-5a16c74a141d"
rule_name = "MITRE ATT&CK T1140 Encoded Powershell Command"
tactic = "TA0005"
technique = "T1140"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
re.regex($process.target.process.file.full_path, `(system32|syswow64)\\WindowsPowerShell\\v1\.0\\powershell(|\_ise)\.exe`) nocase
re.regex($process.target.process.command_line, `(?i)(?:-enc|-ec|-en)\s*\S*`)
$encoded_value = re.capture($process.target.process.command_line, `(?i)(?:-enc|-ec|-en)\s*(\S*)`)
$decoded_value = re.replace(strings.base64_decode(re.capture($process.target.process.command_line, `(?i)(?:-enc|-ec|-en)\s*(\S*)`)),`\0`, "")
match:
$hostname over 5m
outcome:
$risk_score = 10
$event_count = count_distinct($process.metadata.id)
$encoded_powershell = array_distinct($encoded_value)
$decoded_powershell = array_distinct($decoded_value)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}mitre_attack_T1218_005_windows_mshta_remove_usage
Using MSHTA to call a remote HTML application on Windows
Show query
rule mitre_attack_T1218_005_windows_mshta_remove_usage
{
meta:
author = "Google Cloud Security"
description = "Using MSHTA to call a remote HTML application on Windows"
reference = "https://attack.mitre.org/techniques/T1218/005/"
yara_version = "YL2.0"
rule_version = "1.0"
events:
re.regex($e1.principal.process.command_line, `mshta.+http`)
condition:
$e1
}mitre_attack_T1548_002_windows_uac_bypass
Net use commands for SMB/Windows admin shares
Show query
rule mitre_attack_T1548_002_windows_uac_bypass
{
meta:
author = "Google Cloud Security"
description = "Net use commands for SMB/Windows admin shares"
reference = "https://attack.mitre.org/techniques/T1021/002/"
yara_version = "YL2.0"
rule_version = "1.0"
events:
(
$e1.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e1.principal.process.command_line, `reg\.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d.* /f`) nocase
)
or
(
re.regex($e1.principal.process.command_line, `powershell.exe`) nocase and
re.regex($e1.target.registry.registry_key, `\\software\\classes\\mscfile\\shell\\open\\command`) nocase
)
condition:
$e1
}mshta_downloads_malware_by_using_covid19_themed_document
SideWinder APT Group attacks by using COVID-19 document License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule mshta_downloads_malware_by_using_covid19_themed_document {
meta:
author = "Emir Erdogan"
description = "SideWinder APT Group attacks by using COVID-19 document License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Y3qk94UKdcbO"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1129, T1170, T1064, T1129"
events:
(re.regex($selection1.principal.process.file.full_path, `.*\\mshta\.exe`) and ($selection1.target.process.file.full_path = "C:\\Windows\\System32\\mshta.exe" or re.regex($selection1.target.process.file.full_path, `.*\\rekeywiz\.exe`)) and (re.regex($selection1.target.process.command_line, `.*966029e\.hta.*`) or re.regex($selection1.target.process.command_line, `.*rekeywiz\.exe.*`)))
condition:
$selection1
}mssql_server_backdoor_detection_vollgar
Newly discovered Vollgar attack uses brute force to infect vulnerable Microsoft SQL servers at a high rate. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule mssql_server_backdoor_detection_vollgar {
meta:
author = "Emir Erdogan"
description = "Newly discovered Vollgar attack uses brute force to infect vulnerable Microsoft SQL servers at a high rate. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/JjWtzMSfOzEp"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1005, T1190"
events:
($selection.metadata.product_event_type = "11" and ($selection.target.file.full_path = "C:\\ProgramData\\wget.vbs" or re.regex($selection.target.file.full_path, `.*\\SQLAGENTIDC\.exe`) or $selection.target.file.full_path = "C:\\RECYCLER\\wget.vbs" or $selection.target.file.full_path = "C:\\ProgramData\\emsda.vbs" or $selection.target.file.full_path = "C:\\RECYCLER\\emsda.vbs" or re.regex($selection.target.file.full_path, `.*\\SQLAGENTSWA\.exe`) or re.regex($selection.target.file.full_path, `.*\\SQLIOMDSD\.exe`) or re.regex($selection.target.file.full_path, `.*\\SQLSernsf\.exe`) or $selection.target.file.full_path = "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe" or $selection.target.file.full_path = "C:\\Users\\MSSQL~1\\AppData\\Local\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Users\\MSSQLSERVER\\AppData\\Local\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Windows\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Users\\MSSQLSERVER\\AppData\\Local\\Temp\\startae.bat" or $selection.target.file.full_path = "C:\\Windows\\Temp\\startae.bat" or $selection.target.file.full_path = "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\startae.bat"))
condition:
$selection
}mustangpanda_covid19_campaing
This rule detects the attempts that are made by the ATP group MustangPanda in order to take advantage of the COVID-19 situation License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule mustangpanda_covid19_campaing {
meta:
author = "Ariel Millahuel"
description = "This rule detects the attempts that are made by the ATP group MustangPanda in order to take advantage of the COVID-19 situation License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9d8qzUPsY8ag"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `/c for %x in \(%temp%=%cd%\) do for /f \"delims==\" %i in \(dir %x.*-.*-1\.lnk /s /b\)do start mshta\.exe \"%i\"`) or re.regex($selection1.target.process.command_line, `/c dir \"C:\\Users.*\\AppData\\Local\\Temp.*-.*-1\.lnk\" /s /b`))) or ($selection1.target.process.file.full_path = "schtasks.exe" and $selection1.target.process.command_line = "/F /Create /TN Tencentid /sc minute /MO 1 /TR C:\\Users\\Public\\Music\\tencentsoso.exe")))
condition:
$selection1
}oilrig
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule oilrig {
meta:
author = "Ariel Millahuel"
description = "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Nvw0NkZgaA6d"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "execution, persistence, privilege_escalation, T1059, T1053"
events:
($selection1.metadata.product_event_type = "11" and (re.regex($selection1.target.file.full_path, `.*nsExec\.dll.*`) or re.regex($selection1.target.file.full_path, `.*nseEBFB\.tmp.*`) or re.regex($selection1.target.file.full_path, `.*chkSrv\.vbs.*`) or re.regex($selection1.target.file.full_path, `.*SCSCAN\.xml.*`) or re.regex($selection1.target.file.full_path, `.*AnyDesk\.exe.*`)))
condition:
$selection1
}oilrig_part_1
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule oilrig_part_1 {
meta:
author = "Ariel Millahuel"
description = "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Nvw0NkZgaA6d"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, persistence, privilege_escalation, T1059, T1053"
events:
(($selection2.target.process.command_line = "cmd.exe\" /c wmic /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List" or $selection2.target.process.command_line = "schtasks.exe /create /F /tn \"SC Scheduled Scan\" /xml \"C:\\Users\\admin\\AppData\\Local\\Microsoft\\Taskbar\\SCSCAN.xml" or $selection2.target.process.command_line = "ipconfig /flushdns" or re.regex($selection2.target.process.command_line, `cmd\.exe /c copy \"C:\\Users\\admin\\AppData\\Local\\Temp.*\.doc\" \"C:\\Users\\admin\\AppData\\Roaming\\Tmp\.doc`) or re.regex($selection2.target.process.command_line, `cmd\.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN \"InetlSecurityAssistManager\" /TR \"C:\\Users\\admin\\AppData\\Local\\Temp.*\.exe\" /f`) or $selection2.target.process.command_line = "cmd.exe\" /c start /b schtasks /query /fo csv" or $selection2.target.process.command_line = "powershell.exe\" -exec bypass -File C:\\programdata\\Office365DCOMCheck.ps1") and ($selection2.metadata.product_event_type = "4688" or $selection2.metadata.product_event_type = "1"))
condition:
$selection2
}persistence_of_ryuk_ransomware
Ryuk has been know to be a part of a bigger \"Triple Threat\" attack that involves Emotet and TrickBot. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule persistence_of_ryuk_ransomware {
meta:
author = "Emir Erdogan"
description = "Ryuk has been know to be a part of a bigger \"Triple Threat\" attack that involves Emotet and TrickBot. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eWyQLgWZwv3v"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1055, T1060, T1112, T1012, T1486"
events:
(re.regex($selection1.target.process.file.full_path, `.*\\reg\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\cmd\.exe`) and (re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\BPWPc\.exe\" /f`) or re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\YLZHK\.exe\" /f`) or re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\rojwa\.exe\" /f`)) and ($selection1.target.process.command_line = "vssadmin Delete Shadows /all /quiet" or re.regex($selection1.target.process.command_line, `vssadmin resize shadowstorage.*.*`)))
condition:
$selection1
}poetrat_pythonrat_uses_covid19_lure
Covid19 theme phishing document drop pyhton and execute malware by python License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule poetrat_pythonrat_uses_covid19_lure {
meta:
author = "Emir Erdogan"
description = "Covid19 theme phishing document drop pyhton and execute malware by python License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9l7TeSLJabOP"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1012, T1086"
events:
(re.regex($selection1.principal.process.file.full_path, `.*\\WINWORD\.exe`) and (re.regex($selection1.target.process.file.full_path, `.*\\cmd\.exe`) or re.regex($selection1.target.process.file.full_path, `.*\\powershell\.exe`)) and (re.regex($selection1.target.process.command_line, `.*/c copy .*.*\.docx .*\.rar && \"C:\\Program Files\\WinRAR\\winRar\.exe\" x -o\+ -ibck .*\.rar .*\.bat && start /b .*\.bat .*\.EXE MICROSOFT WORD`) or re.regex($selection1.target.process.command_line, `C:\\Programs\\Microsoft\\Office\\MSWord\.exe\\\.\.\\\.\.\\\.\.\\\.\..*\\powershell\.exe copy .*.*\.docx .*\.rar; & .*\\WinRAR\.exe x -ibck .*\.rar .*\.exe;Start-Sleep 5;start .*\.EXE MSW`)))
condition:
$selection1
}recon_successful_logon_enumeration_powershell_T1033_cisa_report
Detects the use of powershell to enumerate successful logins on a specific host
Show query
rule recon_successful_logon_enumeration_powershell_T1033_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects the use of powershell to enumerate successful logins on a specific host"
rule_id = "mr_db589a2e-0a06-46b5-8479-f8e120ec0405"
rule_name = "MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon"
tactic = "TA0007"
mitre_attack_technique = "T1033"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Info"
priority = "Info"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// cisa report referenced cmd /c and other wmic switches like /user and /password, these have been excluded to focus on the commands being issued since
// focused on event code 4624 but could be modified to look for other event codes if needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*Get-EventLog.*security.*-instanceid.*4624`) nocase
)
or
(
$process.metadata.event_type = "STATUS_UPDATE" and
re.regex($process.security_result.description, `Get-EventLog.*security.*-instanceid.*4624`) nocase
)
$process.principal.hostname = $hostname
match:
$hostname over 15m
outcome:
$risk_score = 15
$event_count = count_distinct($process.metadata.id)
$security_result_description = array_distinct($process.security_result.description)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}remote_system_discovery__ping_sweep
This rule detects an attempt to identify remote systems via ping sweep License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule remote_system_discovery__ping_sweep {
meta:
author = "Ariel Millahuel"
description = "This rule detects an attempt to identify remote systems via ping sweep License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/fctdvCuWhicV"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "discovery, T1018"
events:
($selection1.target.process.file.full_path = "ping.exe" and (re.regex($selection1.target.process.command_line, `.* for /l %i in \(1,1,254\) do ping -n 1 -w 100 192\.168\.1\.%i .*`) or re.regex($selection1.target.process.command_line, `.*for /l %i in \(1,1,254\) do ping -n 1 -w 100 .*\..*\..*\.%i.*`)) and ($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1"))
condition:
$selection1
}rig_ek_delivers_predator_the_thiefbot_ransomware
Rig EK Delivers Predator the thief&Bot Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule rig_ek_delivers_predator_the_thiefbot_ransomware {
meta:
author = "Emir Erdogan"
description = "Rig EK Delivers Predator the thief&Bot Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/rOXcOaqX6q1R"
version = "0.01"
created = "2019/11/24"
product = "windows"
service = "sysmon"
mitre = "T1486, T1059"
events:
((((re.regex($selection1.target.process.file.full_path, `.*\\socks111atx\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\radD8D54\.tmp\.exe`)) or ($selection1.metadata.product_event_type = "1" and re.regex($selection1.target.process.file.full_path, `.*\\regsvr32\.exe`) and (re.regex($selection1.target.process.command_line, `.*\\D5F4\.tmp\.dll`) or re.regex($selection1.target.process.command_line, `.*\\CD2D\.tmp\.dll`)))) or (re.regex($selection1.target.process.command_line, `.*ping 127\.0\.0\.1 && del.*`) and re.regex($selection1.principal.process.file.full_path, `.*\\radD8D54\.tmp\.exe`))) and (re.regex($selection1.target.process.file.full_path, `.*\\notepad\.exe`) and re.regex($selection1.target.process.command_line, `.*\\FILES ENCRYPTED\.txt`)))
condition:
$selection1
}rule_1
Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
Show query
rule rule_1 {
meta:
author = "Google Cloud Security"
description = "Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under"
type = "hunt"
data_source = "microsoft sysmon, microsoft windows events"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "System Owner/User Discovery"
mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
mitre_attack_version = "v13.1"
platform = "Windows"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = "whoami"
outcome:
$risk_score = 10
$mitre_attack_tactic = "Discovery"
$mitre_attack_technique = "System Owner/User Discovery"
$mitre_attack_technique_id = "T1033"
// added to populate alert graph with additional context
$principal_hostname = $process.principal.hostname
$principal_process_pid = $process.principal.process.pid
$principal_process_command_line = $process.principal.process.command_line
$principal_process_file_sha256 = $process.principal.process.file.sha256
$principal_process_file_full_path = $process.principal.process.file.full_path
$principal_process_product_specific_process_id = $process.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $process.principal.process.parent_process
.product_specific_process_id
$target_process_pid = $process.target.process.pid
$target_process_command_line = $process.target.process.command_line
$target_process_file_sha256 = $process.target.process.file.sha256
$target_process_file_full_path = $process.target.process.file.full_path
$target_process_product_specific_process_id = $process.target.process.product_specific_process_id
$principal_user_userid = $process.principal.user.userid
condition:
$process
}rule_2
Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
Show query
rule rule_2 {
meta:
author = "Google Cloud Security"
description = "Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under"
type = "hunt"
data_source = "microsoft sysmon, microsoft windows events"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "System Owner/User Discovery"
mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
mitre_attack_version = "v13.1"
platform = "Windows"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = "whoami"
outcome:
$risk_score = 10
$mitre_attack_tactic = "Discovery"
$mitre_attack_technique = "System Owner/User Discovery"
$mitre_attack_technique_id = "T1033"
// added to populate alert graph with additional context
$principal_hostname = $process.principal.hostname
$principal_process_pid = $process.principal.process.pid
$principal_process_command_line = $process.principal.process.command_line
$principal_process_file_sha256 = $process.principal.process.file.sha256
$principal_process_file_full_path = $process.principal.process.file.full_path
$principal_process_product_specific_process_id = $process.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $process.principal.process.parent_process
.product_specific_process_id
$target_process_pid = $process.target.process.pid
$target_process_command_line = $process.target.process.command_line
$target_process_file_sha256 = $process.target.process.file.sha256
$target_process_file_full_path = $process.target.process.file.full_path
$target_process_product_specific_process_id = $process.target.process.product_specific_process_id
$principal_user_userid = $process.principal.user.userid
condition:
$process
}sap_netweaver_application_server_as_java_cve20206287_detection
It is a critical vulnerability in the LM Configuration Wizard component of the \"SAP NetWeaver Application Server (AS) Java\" platform, allowing unauthenticated users to run code. If it is successfully exploited, high authority users can be created, unlimited authority to SAP systems, commands can be run with SAP service user rights. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule sap_netweaver_application_server_as_java_cve20206287_detection {
meta:
author = "Furkan Celik"
description = "It is a critical vulnerability in the LM Configuration Wizard component of the \"SAP NetWeaver Application Server (AS) Java\" platform, allowing unauthenticated users to run code. If it is successfully exploited, high authority users can be created, unlimited authority to SAP systems, commands can be run with SAP service user rights. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/IpNtUupYw88W"
version = "0.01"
created = "2020/07/16"
product = "windows"
service = "sysmon"
mitre = "T1190, vulnerability_scanning, T1059, execution"
events:
($selection.metadata.product_event_type = "1" and ($selection.metadata.description = "7.31" or $selection.metadata.description = "7.4" or $selection.metadata.description = "7.3" or $selection.metadata.description = "7.5") and $selection.metadata.product_name = "SAP NetWeaver")
condition:
$selection
}signal_desktop_app_privilege_escalation
Detects Signal Desktop v1.29 app privilege escalation vulnerability. During the startup the application will execute the c:\\node_modules\\.bin\\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule signal_desktop_app_privilege_escalation {
meta:
author = "Halil Ibrahim Cosgun"
description = "Detects Signal Desktop v1.29 app privilege escalation vulnerability. During the startup the application will execute the c:\\node_modules\\.bin\\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/JxHcCHvtyUEG"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "Execution, Defense_Evasion, Persistence, Privilege_Escalation, T1218, T1036, T1044"
events:
(($selection1.metadata.product_event_type = "1" and re.regex($selection1.principal.process.file.full_path, `.*\\\\Signal\.exe`) and re.regex($selection1.target.process.command_line, `.*\\\\node_modules\\\\\.bin\\\\wmic\.exe`)) or ($selection1.metadata.product_event_type = "11" and re.regex($selection1.target.file.full_path, `.*\\\\node_modules\\\\\.bin\\\\wmic\.exe`)))
condition:
$selection1
}stop_ransomware_and_vidar_ransomware_detection
This rule detects the behavior of a combination between STOP Ransomware and Vidar Ransomware. Both threats are used in combination in order to steal information after a phishing attack was succesfully executed License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule stop_ransomware_and_vidar_ransomware_detection {
meta:
author = "Ariel Millahuel"
description = "This rule detects the behavior of a combination between STOP Ransomware and Vidar Ransomware. Both threats are used in combination in order to steal information after a phishing attack was succesfully executed License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eLntKUKd5pKY"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `/c taskkill /im 5\.exe /f & erase C:\\Users.*\\AppData\\Local\\Temp.*\\5\.exe & exit`) or re.regex($selection1.target.process.command_line, `/c taskkill /im .*\.exe /f & erase C:\\Users.*\\AppData\\Local\\Temp.*.*\.exe & exit`))) or ($selection1.target.process.file.full_path = "icacls.exe" and re.regex($selection1.target.process.command_line, `icacls C:\\Users.*\\AppData\\Local.*\\deny .*S-1-1-0:\(Ol\)\(Cl\)\(DE,DC\)`))))
condition:
$selection1
}suspicious_curl_usage
cURL is a command line browser, and often used by attackers to download malware. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_curl_usage {
meta:
author = "Emir Erdogan"
description = "cURL is a command line browser, and often used by attackers to download malware. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/NTrME73OyT8w"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1188, T1079, T1041"
events:
($selection.target.process.file.full_path = "C:\\Windows\\System32\\curl.exe" and $selection.principal.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and (re.regex($selection.target.process.command_line, `.*curl ftp.*`) or re.regex($selection.target.process.command_line, `.*curl --socks5 torproxy.*`) or re.regex($selection.target.process.command_line, `.*curl -F .*\.exe.*`) or re.regex($selection.target.process.command_line, `.*curl --dns-ipv4-addr.*`) or re.regex($selection.target.process.command_line, `.*curl --dns-interface eth1.*`) or re.regex($selection.target.process.command_line, `.*curl --resolve.*`) or re.regex($selection.target.process.command_line, `.*curl --header \"X-Application: BotClient\".*`)))
condition:
$selection
}suspicious_process_created_on_unusual_directories
Detect Suspicious Process on Unusual Directories License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_process_created_on_unusual_directories {
meta:
author = "Erdem Kucukmustafa"
description = "Detect Suspicious Process on Unusual Directories License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/lVgFe7QyLrys"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "Defense_Evasion, T1036"
events:
($selection.metadata.product_event_type = "1" and (re.regex($selection.target.process.file.full_path, `C:\\Windows\\Fonts.*`) or re.regex($selection.target.process.file.full_path, `.*\\htdocs.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Media.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\Public.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\system32\\config\\systemprofile.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\addins.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Debug.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\NetworkService.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\Default.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Help.*`) or re.regex($selection.target.process.file.full_path, `C:\\Intel\\Logs.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\repair.*`) or re.regex($selection.target.process.file.full_path, `C:\\PerfLogs.*`) or re.regex($selection.target.process.file.full_path, `C:\\$Recycle\.bin.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\security.*`) or re.regex($selection.target.process.file.full_path, `.*\\wwwroot.*`)))
condition:
$selection
}suspicious_scheduled_task
Detection of suspicious scheduled tasks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_scheduled_task {
meta:
author = "Emir Erdogan"
description = "Detection of suspicious scheduled tasks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/1ULlEDq8oA0b"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1053, T1168"
events:
(re.regex($selection.target.process.command_line, `.*schtasks\.exe /create /sc MINUTE /tn SystemSoundsServices /tr \"regsvr32\.exe\".*`) or re.regex($selection.target.process.command_line, `.*/s /n /u /i:http:.*`))
condition:
$selection
}the_gocgle_malicious_campaign
Detects Web Skimming Attacks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule the_gocgle_malicious_campaign {
meta:
author = "Osman Demir"
description = "Detects Web Skimming Attacks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/LI0qbtGS0Jtv"
version = "0.01"
created = "2021-03-09"
category = "proxy"
mitre = "T1056, Collection"
events:
(($selection.principal.hostname = "gocgle-analytics.net" or $selection.principal.hostname = "googlo-analytics.com" or $selection.principal.hostname = "gocgletagmanager.com" or $selection.principal.hostname = "googlc-analytics.com" or $selection.principal.hostname = "gocgle-analytics.cm" or $selection.principal.hostname = "gocgletagmanager.cm" or $selection.principal.hostname = "gocgle-analytics.com" or $selection.principal.hostname = "analytic.is" or $selection.principal.hostname = "qdtf54y6eu7i87t.ga") or ($selection.target.ip = "5.188.9.61" or $selection.target.ip = "5.188.9.33" or $selection.target.ip = "5.188.9.40" or $selection.target.ip = "194.180.224.112"))
condition:
$selection
}ursnif_trojan_detection_cmd_obfuscation
Most popular banking trojan which is called as ursnif uses obfuscated command prompt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule ursnif_trojan_detection_cmd_obfuscation {
meta:
author = "Emir Erdogan"
description = "Most popular banking trojan which is called as ursnif uses obfuscated command prompt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/phnp9PkFC7Zm"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1047, T1497, T1080, T1007, T1082, T1071, T1064, T1113, T1091, T1105, T1060, T1012, T1093, T1027, T1036"
events:
($selection.target.process.file.full_path = "C:\\Windows\\System32\\Rundll32.exe" and re.regex($selection.principal.process.file.full_path, `C:\\Windows\\System32\\cmd\.exe.*`) and re.regex($selection.target.process.command_line, `.*C:\\ProgramData\\ZyGHisczAWv\.dll,Dl^lRegi^sterSe^rver.*`))
condition:
$selection
}wastedlocker_ransomware_hunting_defense_evasion
This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule wastedlocker_ransomware_hunting_defense_evasion {
meta:
author = "Ariel Millahuel"
description = "This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/kNavqYGJrev8"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "defense_evasion, T1027.004, T1070.001"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and ((($selection1.target.process.file.full_path = "cvtres.exe" and re.regex($selection1.target.process.command_line, `.*cvtres\.exe /NOLOGO /READONLY /MACHINE:.* /OUT:C:\\Users.*\\AppData\\Local\\Temp\\RESF8F4\.tmp c:\\Users.*\\AppData\\Local\\Temp\\h4bie4kg\\CSC81E10858D57A44649763EE5728D5E87\.TMP.*`)) or ($selection1.target.process.file.full_path = "PsExec.exe.exe" and re.regex($selection1.target.process.command_line, `PsExec\.exe -s .* cmd /c for /F tokens=.* %1 in \('wevtutil\.exe el'\) DO wevtutil\.exe cl %1`))) or ($selection1.target.process.file.full_path = "csc.exe" and re.regex($selection1.target.process.command_line, `csc\.exe /noconfig /fullpaths @C:\\Users.*\\AppData\\Local\\Temp\\h4bie4kg\\h4bie4kg\.cmdline`))))
condition:
$selection1
}A host is potentially running a hacking tool (ASIM Web Session schema)
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSessio
Show query
let threatCategory="Hacking Tool";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
ADFS DKM Master Key Export
'Identifies an export of the ADFS DKM Master Key from Active Directory.
References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/,
https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
https://github.com/Azure/Azure-Sentine
Show query
(union isfuzzy=true
(SecurityEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where ObjectServer == 'DS'
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
| extend timestamp = TimeGenerated, DeviceName = Computer
),
( WindowsEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed')
| extend ObjectServer = tostring(EventData.ObjectServer)
| where ObjectServer == 'DS'
| extend OperationType = tostring(EventData.OperationType)
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| extend ObjectType = tostring(EventData.ObjectType)
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| extend Properties = tostring(EventData.Properties)
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
| extend timestamp = TimeGenerated, DeviceName = Computer
),
(DeviceEvents
| where ActionType =~ "LdapSearch"
| where AdditionalFields.AttributeList contains "thumbnailPhoto"
| where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)
Account created from non-approved sources
'This query looks for an account being created from a domain that is not regularly seen in a tenant.
Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.
Created accounts should be investigated to confirm expected creation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts'
Show query
let core_domains = (SigninLogs | where TimeGenerated > ago(7d) | where ResultType == 0 | extend domain = tolower(split(UserPrincipalName, "@")[1]) | summarize by tostring(domain)); let alternative_domains = (SigninLogs | where TimeGenerated > ago(7d) | where isnotempty(AlternateSignInName) | where ResultType == 0 | extend domain = tolower(split(AlternateSignInName, "@")[1]) | summarize by tostring(domain)); AuditLogs | where TimeGenerated > ago(1d) | where OperationName =~ "Add User" | extend InitiatingAppName = tostring(InitiatedBy.app.displayName) | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) | extend UserAdded = tostring(TargetResources[0].userPrincipalName) | extend UserAddedDomain = case( UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[1]), UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[1]), UserAdded) | where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains) | extend AddedByName = case( InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[0]), InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingUserPrincipalName) | extend AddedByUPNSuffix = case( InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[1]), InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[1]), InitiatingUserPrincipalName) | extend UserAddedName = case( UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[0]), UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[0]), UserAdded)
Addition of a Temporary Access Pass to a Privileged Account
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
Review any TAP creations to ensure they wer
Show query
let admin_users = (IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles contains "admin" | summarize by tolower(AccountUPN)); AuditLogs | where OperationName =~ "Admin registered security info" | where ResultReason =~ "Admin registered temporary access pass method for user" | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) | where tolower(TargetUserPrincipalName) in (admin_users) | extend TargetAadUserId = tostring(TargetResources[0].id) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1]) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
AdminSDHolder Modifications
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence.
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.
This query searches for the event id 5136 where the Object DN is AdminSDHolder.
Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
Show query
SecurityEvent | where EventID == 5136 and EventData contains "<Data Name=\"ObjectDN\">CN=AdminSDHolder,CN=System" | parse EventData with * 'ObjectDN">' ObjectDN "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) | extend Name = tostring(split(SubjectAccount, "\\")[1]), NTDomain = tostring(split(SubjectAccount, "\\")[0])
Anomalous Single Factor Signin
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
Show query
let known_locations = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | extend LocationDetail = strcat(Location, "-", LocationDetails.state) | summarize by LocationDetail); let known_asn = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | summarize by AutonomousSystemNumber); SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where isempty(DeviceDetail.deviceId) | where AuthenticationRequirement == "singleFactorAuthentication" | extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail) | extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state) | extend LocationDetail = strcat(Location, "-", State) | extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser) | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations) | project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
Anomalous User Agent connection attempt
'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
Show query
let short_uaLength = 5;
let long_uaLength = 1000;
let c_threshold = 100;
W3CIISLog
// Exclude local IPs as these create noise
| where cIP !startswith "192.168." and cIP != "::1"
| where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
| extend csUserAgent_size = string_size(csUserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
| where ConnectionCount < c_threshold
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])
Anomaly Sign In Event from an IP
'Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts'
Show query
let LookBack = 1h; let Data = ( SigninLogs | where TimeGenerated >= ago(LookBack) | where parse_json(NetworkLocationDetails)[0].networkType != "trustedNamedLocation" // Excludes known tagged networks // Counts the number of sign in events in the last hour every 15 minutes by IP | make-series EventCounts = count() on TimeGenerated from ago(LookBack) to now() step 15m by IPAddress ); let AnomalyAlert = ( Data | extend (Anomalies, Score, Baseline) = series_decompose_anomalies(EventCounts,1.5,-1,'linefit') | mv-expand EventCounts,TimeGenerated,Anomalies to typeof(double),Baseline to typeof(long),Score to typeof(double) | where Anomalies > 0 ); AnomalyAlert | join kind = inner (SigninLogs | where TimeGenerated between (ago(LookBack) .. now()) | where parse_json(NetworkLocationDetails)[0].networkType != "trustedNamedLocation" | extend PasswordResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail) | summarize UserCount = dcount(UserPrincipalName), UserList = make_set(UserPrincipalName), AppName = make_set(AppDisplayName), PasswordResult = make_list(PasswordResult) by IPAddress) on IPAddress | where PasswordResult has "Correct Password" | where UserCount > 1 // looks for events targeting more than one user.
Application ID URI Changed
'Detects changes to an Application ID URI.
Monitor these changes to make sure that they were authorized.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed'
Show query
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName has_any ("Update Application", "Update Service principal")
| where TargetResources has "AppIdentifierUri"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend mod_props = TargetResources[0].modifiedProperties
| extend TargetAppName = tostring(TargetResources[0].displayName)
| mv-expand mod_props
| where mod_props.displayName has "AppIdentifierUri"
| extend OldURI = tostring(mod_props.oldValue)
| extend NewURI = tostring(mod_props.newValue)
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress
Application Redirect URL Update
'Detects the redirect URL of an app being changed.
Applications associated with URLs not controlled by the organization can pose a security risk.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes'
Show query
AuditLogs
| where Category =~ "ApplicationManagement"
| where Result =~ "success"
| where OperationName =~ 'Update Application'
| where TargetResources has "AppAddress"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName =~ "AppAddress"
| extend Key = tostring(TargetResources_modifiedProperties.displayName)
| extend NewValue = TargetResources_modifiedProperties.newValue
| extend OldValue = TargetResources_modifiedProperties.oldValue
| where isnotempty(Key) and isnotempty(NewValue)
| project-reorder Key, NewValue, OldValue
| extend NewUrls = extract_all('"Address":([^,]*)', tostring(NewValue))
| extend OldUrls = extract_all('"Address":([^,]*)', tostring(OldValue))
| extend AddedUrls = set_difference(NewUrls, OldUrls)
| where array_length(AddedUrls) > 0
| extend UserAgent = iif(tostring(AdditionalDetails[0].key) == "User-Agent", tostring(AdditionalDetails[0].value), "")
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend AddedBy = iif(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)
| extend TargetAppName = tostring(TargetResources.displayName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, TargetAppName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, AddedUrls, AddedBy, UserAgent
Audit policy manipulation using auditpol utility
This detects attempts to manipulate audit policies using auditpol command.
This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.
The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it.
Refer to auditpol syntax: https://docs.microsoft.com/windows-serve
Show query
let timeframe = 1d;
let AccountAllowList = dynamic(['SYSTEM']);
let SubCategoryList = dynamic(["Logoff", "Account Lockout", "User Account Management", "Authorization Policy Change"]); // Add any Category in the list to be allowed or disallowed
let tokens = dynamic(["clear", "remove", "success:disable","failure:disable"]);
(union isfuzzy=true
(
SecurityEvent
| where TimeGenerated >= ago(timeframe)
//| where Process =~ "auditpol.exe"
| where CommandLine has_any (tokens)
| where AccountType !~ "Machine" and Account !in~ (AccountAllowList)
| parse CommandLine with * "/subcategory:" subcategorytoken
| extend SubCategory = tostring(split(subcategorytoken, "\"")[1]) , Toggle = tostring(split(subcategorytoken, "\"")[2])
| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion
| where Toggle !in~ ("/failure:disable", " /success:enable /failure:disable") // use this filter if required to exclude certain toggles
| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle
| extend timestamp = TimeGenerated, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, DeviceName = Computer
),
(
DeviceProcessEvents
| where TimeGenerated >= ago(timeframe)
// | where InitiatingProcessFileName =~ "auditpol.exe"
| where InitiatingProcessCommandLine has_any (tokens)
| where AccountName !in~ (AccountAllowList)
| parse InitiatingProcessCommandLine with * "/subcategory:" subcategorytoken
| extend SubCategory = tostring(split(subcategorytoken, "\"")[1]) , Toggle = tostring(split(subcategorytoken, "\"")[2])
| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion
| where Toggle !in~ ("/failure:disable", " /success:enable /failure:disable") // use this filter if required to exclude certain toggles
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
),
(
Event
| where TimeGenerated > ago(timeframe)
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
// | where OriginalFileName =~ "auditpol.exe"
| where CommandLine has_any (tokens)
| where User !in~ (AccountAllowList)
| parse CommandLine with * "/subcategory:" subcategorytoken
| extend SubCategory = tostring(split(subcategorytoken, "\"")[1]) , Toggle = tostring(split(subcategorytoken, "\"")[2])
| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion
| where Toggle !in~ ("/failure:disable", " /success:enable /failure:disable") // use this filter if required to exclude certain toggles
| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle
| extend timestamp = TimeGenerated, AccountName = tostring(split(User, @'\')[1]), AccountUPNSuffix = tostring(split(User, @'\')[0]), DeviceName = Computer
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)
Authentication Attempt from New Country
Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days.
Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-a
Show query
let CombinedSignInLogs = union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs;
// Combine AADNonInteractiveUserSignInLogs and SigninLogs into a single table
// Fetch Azure IP address ranges data from a JSON file hosted on GitHub
let AzureRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)
["https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json"] with(format='multijson')
// Load Azure IP address ranges from the JSON file hosted on GitHub
| mv-expand values
// Expand the values column into separate rows
| extend Name = values.name, AddressPrefixes = tostring(values.properties.addressPrefixes);
// Create additional columns for the name and address prefixes
// Identify known locations to be excluded from analysis
let ExcludedKnownLocations = CombinedSignInLogs
// Filter the combined logs based on the specified time range
| where TimeGenerated between (ago(14d)..ago(1d))
// Filter by specific ResultType
| where ResultType == 0
// Summarize the logs by location
| summarize by Location;
// Find sign-in locations matching specific criteria
let MatchedLocations = materialize(CombinedSignInLogs
// Filter the combined logs based on the specified time range
| where TimeGenerated > ago(1d)
// Exclude specific ResultTypes
| where ResultType !in (50126, 50053, 50074, 70044)
// Exclude known locations
| where Location !in (ExcludedKnownLocations));
// Match IP addresses of matched locations with Azure IP address ranges
let MatchedIPs = MatchedLocations
// Use the 'ipv4_lookup' function to match IP addresses with Azure IP address ranges
| evaluate ipv4_lookup(AzureRanges, IPAddress, AddressPrefixes)
// Project only the IPAddress column
| project IPAddress;
// Exclude IP addresses that are already matched with Azure IP address ranges
let MaxSetSize = 5; // Set the maximum size limit for make_set
let ExcludedIPs = MatchedLocations
// Filter out IP addresses that are already matched
| where not (IPAddress in (MatchedIPs))
// Exclude empty or null Location values
| where isnotempty(Location)
// Handle dynamic and string column values for LocationDetails and DeviceDetail
| extend LocationDetails_dynamic = column_ifexists("LocationDetails_dynamic", "")
| extend DeviceDetail_dynamic = column_ifexists("DeviceDetail_dynamic", "")
| extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))
| extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))
// Extract location details (city and state)
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend Place = strcat(City, " - ", State)
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend Result = strcat(tostring(ResultType), " - ", ResultDescription)
// Summarize the data based on UserPrincipalName, Location, and Category
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated),
make_set(Result, MaxSetSize), make_set(IPAddress, MaxSetSize),
make_set(UserAgent, MaxSetSize), make_set(Place, MaxSetSize),
make_set(DeviceId, MaxSetSize) by UserPrincipalName, Location, Category
// Extract the username prefix and suffix from UserPrincipalName
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]);
ExcludedIPs // Output the final result set
| extend IP = set_IPAddress[0]
Authentications of Privileged Accounts Outside of Expected Controls
'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.
Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure
Show query
let admin_users = (IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles contains "admin" | summarize by tolower(AccountUPN)); let admin_asn = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | summarize by AutonomousSystemNumber); let admin_locations = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | summarize by Location); let admin_devices = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | extend deviceId = tostring(DeviceDetail.deviceId) | where isnotempty(deviceId) | summarize by deviceId); SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where tolower(UserPrincipalName) in (admin_users) | extend deviceId = tostring(DeviceDetail.deviceId) | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)
Base64 encoded Windows process command-lines (Normalized Process Events)
'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
Show query
imProcessCreate | where CommandLine contains "TVqQAAMAAAAEAAA" | where isnotempty(Process) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) | project-away DomainIndex
Changes to Application Logout URL
'Detects changes to an applications sign out URL.
Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed'
Show query
AuditLogs
| where Category =~ "ApplicationManagement"
| where OperationName has_any ("Update Application", "Update Service principal")
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend mod_props = TargetResources[0].modifiedProperties
| mv-expand mod_props
| extend Action = tostring(mod_props.displayName)
| where Action contains "Url"
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend OldURL = tostring(mod_props.oldValue)
| extend NewURL = tostring(mod_props.newValue)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, UpdatedBy
Changes to Application Ownership
'Detects changes to the ownership of an appplicaiton.
Monitor these changes to make sure that they were authorized.
Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner'
Show query
AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add owner to application" | extend InitiatingAppName = tostring(InitiatedBy.app.displayName) | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend TargetUserPrincipalName = TargetResources[0].userPrincipalName | extend TargetAadUserId = tostring(TargetResources[0].id) | extend mod_props = TargetResources[0].modifiedProperties | mv-expand mod_props | where mod_props.displayName =~ "Application.DisplayName" | extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue))) | extend AddedUser = TargetUserPrincipalName | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy
Changes to PIM Settings
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
Show query
AuditLogs | where Category =~ "RoleManagement" | where OperationName =~ "Update role setting in PIM" | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix
Cisco - firewall block but success logon to Microsoft Entra ID
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.
Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.'
Show query
let aadFunc = (tableName:string){
CommonSecurityLog
| where DeviceVendor =~ "Cisco"
| where DeviceAction =~ "denied"
| where ipv4_is_private(SourceIP) == false
| summarize count() by SourceIP
| join (
// Successful signins from IPs blocked by the firewall solution are suspect
// Include fully successful sign-ins, but also ones that failed only at MFA stage
// as that supposes the password was sucessfully guessed.
table(tableName)
| where ResultType in ("0", "50074", "50076")
) on $left.SourceIP == $right.IPAddress
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
Conditional Access Policy Modified by New User
'Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.
A threat actor may try to modify policies to weaken the security controls in place.
Investigate any change to ensure they are approved.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access'
Show query
let known_users = (AuditLogs | where TimeGenerated between(ago(14d)..ago(1d)) | where OperationName has "conditional access policy" | where Result =~ "success" | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | summarize by InitiatingUserPrincipalName); AuditLogs | where TimeGenerated > ago(1d) | where OperationName has "conditional access policy" | where Result =~ "success" | extend InitiatingAppName = tostring(InitiatedBy.app.displayName) | extend InitiatingAppId = tostring(InitiatedBy.app.appId) | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend CAPolicyName = tostring(TargetResources[0].displayName) | where InitiatingUserPrincipalName !in (known_users) | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, OperationName, CAPolicyName, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, NewPolicyValues, OldPolicyValues
DNS events related to ToR proxies (ASIM DNS Schema)
'Identifies IP addresses performing DNS lookups associated with common ToR proxies.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
Show query
let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co", "onion.to", "onion.ink", "onion.cab", "onion.nu", "onion.link", "onion.it", "onion.city", "onion.direct", "onion.top", "onion.casa", "onion.plus", "onion.rip", "onion.dog", "tor2web.fi", "tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt", "s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net"]); _Im_Dns(domain_has_any=torProxies) | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) | project-away DomainIndex
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.
Ensure this impossible travel incident with increase of privileges is legitimate in your environment.'
Show query
SecurityAlert
| where AlertName == "Impossible travel activity"
| extend Extprop = parsejson(Entities)
| mv-expand Extprop
| extend Extprop = parsejson(Extprop)
| extend CmdLine = iff(Extprop['Type']=="process", Extprop['CommandLine'], '')
| extend File = iff(Extprop['Type']=="file", Extprop['Name'], '')
| extend Account = Extprop['Name']
| extend Domain = Extprop['UPNSuffix']
| extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
| extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
| extend Process = iff(isnotempty(CmdLine), CmdLine, File)
| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId
| join kind=inner
(
OfficeActivity
| where Operation =~ "Add-MailboxPermission"
| extend value = tostring(parse_json(Parameters)[3].Value)
| where value contains "FullAccess"
| where ResultStatus == "True"
| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId
) on $left.Account == $right.UserId
| join kind=inner
(
AuditLogs
| where ActivityDisplayName =~ "Add eligible member to role in PIM requested (timebound)"
| where AADOperationType =~ "CreateRequestEligibleRole"
| where TargetResources has_any ("-PRIV", "Administrator", "Security")
| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))
| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))
| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))
| extend Initiatedby = Identity
| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id
| sort by TimeGenerated desc
) on $left.UserId == $right.Initiatedby
| extend AccountName = tostring(split(Initiatedby, "@")[0]), AccountUPNSuffix = tostring(split(Initiatedby, "@")[1])
| project AADOperationType, ActivityDisplayName,AccountName, AccountUPNSuffix, Id,ResourceId,IpAddress
Discord CDN Risky File Download (ASIM Web Session Schema)
'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment.
Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in
Show query
let discord=dynamic(["cdn.discordapp.com", "media.discordapp.com"]);
_Im_WebSession(url_has_any=discord, eventresult='Success')
| where Url has "attachments"
| extend DiscordServerId = extract(@"\/attachments\/([0-9]+)\/", 1, Url)
| summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId
| mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)
| summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url
| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url
| where RequestURL has_any (".bin",".exe",".dll",".bin",".msi")
| extend AccountName = tostring(split(SourceUser, "@")[0]), AccountUPNSuffix = tostring(split(SourceUser, "@")[1])
Email access via active sync
This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.
This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.
- Note that this query can be changed to use the KQL "has_all" operator, which hasn't yet been documented officially, but will be soon.
In short, "has_all" will only match when the referenced field has all strings in the list.
- Refer to S
Show query
let timeframe = 1d; let cmdList = dynamic(["Set-CASMailbox","ActiveSyncAllowedDeviceIDs","add"]); (union isfuzzy=true ( SecurityEvent | where TimeGenerated >= ago(timeframe) | where EventID == 4688 | where CommandLine has_all (cmdList) | project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine | extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer ), ( WindowsEvent | where TimeGenerated >= ago(timeframe) | where EventID == 4688 | where EventData has_all (cmdList) | extend CommandLine = tostring(EventData.CommandLine) | where CommandLine has_all (cmdList) | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName)) | extend SubjectUserName = tostring(EventData.SubjectUserName) | extend SubjectDomainName = tostring(EventData.SubjectDomainName) | extend NewProcessName = tostring(EventData.NewProcessName) | extend Process=tostring(split(NewProcessName, '\\')[-1]) | extend ParentProcessName = tostring(EventData.ParentProcessName) | project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine | extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer ), ( DeviceProcessEvents | where TimeGenerated >= ago(timeframe) | where InitiatingProcessCommandLine has_all (cmdList) | project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine | extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, HostEntity = DeviceName ), ( Event | where TimeGenerated > ago(timeframe) | where Source == "Microsoft-Windows-Sysmon" | where EventID == 1 | extend EventData = parse_xml(EventData).DataItem.EventData.Data | mv-expand bagexpansion=array EventData | evaluate bag_unpack(EventData) | extend Key=tostring(['@Name']), Value=['#text'] | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId) | where TimeGenerated >= ago(timeframe) | where CommandLine has_all (cmdList) | extend Type = strcat(Type, ": ", Source) | project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine | extend timestamp = TimeGenerated, AccountEntity = User, HostEntity = Computer ) ) | extend HostName = tostring(split(HostEntity, ".")[0]), DomainIndex = toint(indexof(HostEntity, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity) | extend AccountName = tostring(split(AccountEntity, @'\')[1]), AccountDomain = tostring(split(AccountEntity, @'\')[0])
End-user consent stopped due to risk-based consent
'Detects a user's consent to an OAuth application being blocked due to it being too risky.
These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent'
Show query
AuditLogs
| where OperationName has "Consent to application"
| where Result =~ "failure"
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend userAgent = iif(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))
| where isnotempty(TargetResources)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| mv-expand TargetResources[0].modifiedProperties
| extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
| where isnotempty(TargetResources_0_modifiedProperties)
| where TargetResources_0_modifiedProperties.displayName =~ "MethodExecutionResult."
| extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)
| extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| where FailureReason contains "Risky"
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent
Europium - Hash and IP IOCs - September 2022
'Identifies a match across various data feeds for hashes and IP IOC related to Europium
Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government'
Show query
let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Europium_September2022.csv"] with (format="csv", ignoreFirstRecord=True);
let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
let IPList = (iocs | where Type =~ "ip"| project IoC);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' *
| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type
| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", "NoMatch")
| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch")
),
(DnsEvents
| where IPAddresses in (IPList)
| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer
| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Computer
),
(VMConnection
| where SourceIp in (IPList) or DestinationIp in (IPList)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), File = ProcessName, HostEntity = Computer
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"]), Image = tostring(EventDetail.[4].["#text"])
| where SourceIP in (IPList) or DestinationIP in (IPList)
| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\', -1)[-1]), IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None"),
HostEntity = Computer, AccountName = tostring(split(UserName, @'\')[1]), AccountDomain = tostring(split(UserName, @'\')[0])
| extend InitiatingProcessAccount = UserName
),
(OfficeActivity
| where ClientIP in (IPList)
| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type
| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountName = tostring(split(UserId, "@")[0]), AccountDomain = tostring(split(UserId, "@")[1])
| extend InitiatingProcessAccount = UserId
),
(DeviceNetworkEvents
| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine,
InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type
| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = Computer, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
),
(WindowsFirewall
| where SourceIP in (IPList) or DestinationIP in (IPList)
| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, HostEntity = Computer, IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(imFileEvent
| where TargetFileSHA256 has_any (sha256Hashes)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
| extend timestamp = TimeGenerated, IPEntity = IPAddress, HostEntity = Computer, Algorithm = "SHA256", FileHash = tostring(FileHash)
| extend AccountName = tostring(split(Account, @'\')[1]), AccountDomain = tostring(split(Account, @'\')[0])
| extend InitiatingProcessAccount = Account
),
(DeviceFileEvents
| where SHA256 has_any (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath,
InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
Algorithm = "SHA256", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
),
(DeviceImageLoadEvents
| where SHA256 has_any (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath,
InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
Algorithm = "SHA256", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
),
(Event
| where Source =~ "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Image = EventDetail.[4].["#text"], CommandLine = EventDetail.[10].["#text"], Hashes = tostring(EventDetail.[17].["#text"])
| extend Hashes = extract_all(@"(?P<key>\w+)=(?P<value>[a-zA-Z0-9]+)", dynamic(["key","value"]), Hashes)
| extend Hashes = column_ifexists("Hashes", dynamic(["", ""])), CommandLine = column_ifexists("CommandLine", "")
| mv-expand Hashes
| where Hashes[0] =~ "SHA256" and Hashes[1] has_any (sha256Hashes)
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image
| extend Type = strcat(Type, ": ", Source)
| extend timestamp = TimeGenerated, HostEntity = Computer, AccountName = tostring(split(UserName, @'\')[1]), AccountUPNSuffix = tostring(split(UserName, @'\')[0]), FileHash = tostring(Hashes[1])
| extend InitiatingProcessAccount = UserName
)
)
| extend HostName = tostring(split(HostEntity, ".")[0]), DomainIndex = toint(indexof(HostEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)
Showing 201-250 of 1,177