Tool
Hunt pack: Play
990 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 990malware_servhelper_bot
ServHelper bot
Show query
rule malware_servhelper_bot
{
meta:
author = "Google Cloud Security"
description = "ServHelper bot"
reference = "https://attack.mitre.org/techniques/T1059/"
ref_hash = "6f58ed116b53b991522d6586c80a7061951dbf251e6943d3cfbd97f6c0126c0e"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
and
(
re.regex($e1.principal.process.command_line, `net.* user wgautilacc`) nocase or
re.regex($e1.principal.process.command_line, `net.* localgroup "remote desktop users"`) nocase
)
condition:
$e1
}malware_servhelper_nsis_dropper
ServHelper NSIS dropper which layers PowerShell to execute its payload
Show query
rule malware_servhelper_nsis_dropper
{
meta:
author = "Google Cloud Security"
description = "ServHelper NSIS dropper which layers PowerShell to execute its payload"
reference = "https://attack.mitre.org/techniques/T1059/"
ref_hash = "7f0191d0d08abd814b435aed3d3ab0d9499942ceba2e91fb9f3b9e5a4ab849a5"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e1.principal.process.command_line, `cmd\.exe.* /c timeout -t 15\& powershell -ep bypass -f`) nocase
condition:
$e1
}malware_zeppelin_registry
Zeppelin registry key writing
Show query
rule malware_zeppelin_registry
{
meta:
author = "Google Cloud Security"
description = "Zeppelin registry key writing"
reference = "https://attack.mitre.org/techniques/T1112/"
related_sample = "423ac94365660904322647356081aa1ea584cb20385ec3163193e71fd3e4f1ad"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "REGISTRY_CREATION"
re.regex($e1.target.registry.registry_key, `\\software\\zeppelin\\`) nocase
condition:
$e1
}mitre_attack_T1053_005_windows_creation_of_scheduled_task
Creation of scheduled task using command line
Show query
rule mitre_attack_T1053_005_windows_creation_of_scheduled_task {
meta:
author = "Google Cloud Security"
description = "Creation of scheduled task using command line"
rule_id = "mr_14beda0b-8ef1-4805-a227-df9d8bbc6804"
rule_name = "MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task"
tactic = "TA0002"
technique = "T1053.005"
type = "alert"
platform = "Windows"
data_source = "sentinelone"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
re.regex($process.principal.process.command_line, `schtasks.*/create`) nocase
match:
$hostname over 5m
outcome:
$risk_score = 15
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}mitre_attack_T1140_encoded_powershell_command
Detects encoded powershell commands
Show query
rule mitre_attack_T1140_encoded_powershell_command {
meta:
author = "Google Cloud Security"
description = "Detects encoded powershell commands"
rule_id = "mr_c01d7d92-db49-4044-a2c5-5a16c74a141d"
rule_name = "MITRE ATT&CK T1140 Encoded Powershell Command"
tactic = "TA0005"
technique = "T1140"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
re.regex($process.target.process.file.full_path, `(system32|syswow64)\\WindowsPowerShell\\v1\.0\\powershell(|\_ise)\.exe`) nocase
re.regex($process.target.process.command_line, `(?i)(?:-enc|-ec|-en)\s*\S*`)
$encoded_value = re.capture($process.target.process.command_line, `(?i)(?:-enc|-ec|-en)\s*(\S*)`)
$decoded_value = re.replace(strings.base64_decode(re.capture($process.target.process.command_line, `(?i)(?:-enc|-ec|-en)\s*(\S*)`)),`\0`, "")
match:
$hostname over 5m
outcome:
$risk_score = 10
$event_count = count_distinct($process.metadata.id)
$encoded_powershell = array_distinct($encoded_value)
$decoded_powershell = array_distinct($decoded_value)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}mssql_server_backdoor_detection_vollgar
Newly discovered Vollgar attack uses brute force to infect vulnerable Microsoft SQL servers at a high rate. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule mssql_server_backdoor_detection_vollgar {
meta:
author = "Emir Erdogan"
description = "Newly discovered Vollgar attack uses brute force to infect vulnerable Microsoft SQL servers at a high rate. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/JjWtzMSfOzEp"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1005, T1190"
events:
($selection.metadata.product_event_type = "11" and ($selection.target.file.full_path = "C:\\ProgramData\\wget.vbs" or re.regex($selection.target.file.full_path, `.*\\SQLAGENTIDC\.exe`) or $selection.target.file.full_path = "C:\\RECYCLER\\wget.vbs" or $selection.target.file.full_path = "C:\\ProgramData\\emsda.vbs" or $selection.target.file.full_path = "C:\\RECYCLER\\emsda.vbs" or re.regex($selection.target.file.full_path, `.*\\SQLAGENTSWA\.exe`) or re.regex($selection.target.file.full_path, `.*\\SQLIOMDSD\.exe`) or re.regex($selection.target.file.full_path, `.*\\SQLSernsf\.exe`) or $selection.target.file.full_path = "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe" or $selection.target.file.full_path = "C:\\Users\\MSSQL~1\\AppData\\Local\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Users\\MSSQLSERVER\\AppData\\Local\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Windows\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\startas.bat" or $selection.target.file.full_path = "C:\\Users\\MSSQLSERVER\\AppData\\Local\\Temp\\startae.bat" or $selection.target.file.full_path = "C:\\Windows\\Temp\\startae.bat" or $selection.target.file.full_path = "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\startae.bat"))
condition:
$selection
}mustangpanda_covid19_campaing
This rule detects the attempts that are made by the ATP group MustangPanda in order to take advantage of the COVID-19 situation License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule mustangpanda_covid19_campaing {
meta:
author = "Ariel Millahuel"
description = "This rule detects the attempts that are made by the ATP group MustangPanda in order to take advantage of the COVID-19 situation License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9d8qzUPsY8ag"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `/c for %x in \(%temp%=%cd%\) do for /f \"delims==\" %i in \(dir %x.*-.*-1\.lnk /s /b\)do start mshta\.exe \"%i\"`) or re.regex($selection1.target.process.command_line, `/c dir \"C:\\Users.*\\AppData\\Local\\Temp.*-.*-1\.lnk\" /s /b`))) or ($selection1.target.process.file.full_path = "schtasks.exe" and $selection1.target.process.command_line = "/F /Create /TN Tencentid /sc minute /MO 1 /TR C:\\Users\\Public\\Music\\tencentsoso.exe")))
condition:
$selection1
}nanocore_rat_loaded_by_covid19_update_xlsm_file
NanoCore RAT Loaded By Covid-19 Update XLSM File License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule nanocore_rat_loaded_by_covid19_update_xlsm_file {
meta:
author = "Emir Erdogan"
description = "NanoCore RAT Loaded By Covid-19 Update XLSM File License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/3PiQpZWwUfZt"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1086, T1064, T1105"
events:
(re.regex($selection.principal.process.file.full_path, `.*\\excel\.exe`) and re.regex($selection.target.process.file.full_path, `.*\\powershell\.exe`) and re.regex($selection.target.process.command_line, `.*-executionpolicy bypass -W Hidden -command \(new-object System\.Net\.WebClient\)\.DownloadFile\(.*gbud\.webd\.pl/cli/.*\.exe.*,$env:Temp\+.*\.exe.*\);\(New-Object -com Shell\.Application\)\.ShellExecute\($env:Temp\+.*\.exe.*\)`))
condition:
$selection
}oilirgs_rdat_backdoor_sysmon_detection
RDAT its a backdoor that belongs to OilRig License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule oilirgs_rdat_backdoor_sysmon_detection {
meta:
author = "Ariel Millahuel"
description = "RDAT its a backdoor that belongs to OilRig License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/k6BRV4W38EJc"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "command_and_control, T1105"
events:
($selection1.metadata.product_event_type = "11" and (re.regex($selection1.target.file.full_path, `.*\\Desktop\\dns\\client\\x64\\Release\\client\.pdb.*`) or re.regex($selection1.target.file.full_path, `.*\\RDAT\\client\\x64\\Release\\client\.pdb.*`) or re.regex($selection1.target.file.full_path, `.*\\Programdata\\Nt\.dat.*`)))
condition:
$selection1
}oilrig
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule oilrig {
meta:
author = "Ariel Millahuel"
description = "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Nvw0NkZgaA6d"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "execution, persistence, privilege_escalation, T1059, T1053"
events:
($selection1.metadata.product_event_type = "11" and (re.regex($selection1.target.file.full_path, `.*nsExec\.dll.*`) or re.regex($selection1.target.file.full_path, `.*nseEBFB\.tmp.*`) or re.regex($selection1.target.file.full_path, `.*chkSrv\.vbs.*`) or re.regex($selection1.target.file.full_path, `.*SCSCAN\.xml.*`) or re.regex($selection1.target.file.full_path, `.*AnyDesk\.exe.*`)))
condition:
$selection1
}oilrig_part_1
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule oilrig_part_1 {
meta:
author = "Ariel Millahuel"
description = "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Nvw0NkZgaA6d"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, persistence, privilege_escalation, T1059, T1053"
events:
(($selection2.target.process.command_line = "cmd.exe\" /c wmic /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List" or $selection2.target.process.command_line = "schtasks.exe /create /F /tn \"SC Scheduled Scan\" /xml \"C:\\Users\\admin\\AppData\\Local\\Microsoft\\Taskbar\\SCSCAN.xml" or $selection2.target.process.command_line = "ipconfig /flushdns" or re.regex($selection2.target.process.command_line, `cmd\.exe /c copy \"C:\\Users\\admin\\AppData\\Local\\Temp.*\.doc\" \"C:\\Users\\admin\\AppData\\Roaming\\Tmp\.doc`) or re.regex($selection2.target.process.command_line, `cmd\.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN \"InetlSecurityAssistManager\" /TR \"C:\\Users\\admin\\AppData\\Local\\Temp.*\.exe\" /f`) or $selection2.target.process.command_line = "cmd.exe\" /c start /b schtasks /query /fo csv" or $selection2.target.process.command_line = "powershell.exe\" -exec bypass -File C:\\programdata\\Office365DCOMCheck.ps1") and ($selection2.metadata.product_event_type = "4688" or $selection2.metadata.product_event_type = "1"))
condition:
$selection2
}persistence_of_ryuk_ransomware
Ryuk has been know to be a part of a bigger \"Triple Threat\" attack that involves Emotet and TrickBot. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule persistence_of_ryuk_ransomware {
meta:
author = "Emir Erdogan"
description = "Ryuk has been know to be a part of a bigger \"Triple Threat\" attack that involves Emotet and TrickBot. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eWyQLgWZwv3v"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1055, T1060, T1112, T1012, T1486"
events:
(re.regex($selection1.target.process.file.full_path, `.*\\reg\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\cmd\.exe`) and (re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\BPWPc\.exe\" /f`) or re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\YLZHK\.exe\" /f`) or re.regex($selection1.target.process.command_line, `REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \".*\\rojwa\.exe\" /f`)) and ($selection1.target.process.command_line = "vssadmin Delete Shadows /all /quiet" or re.regex($selection1.target.process.command_line, `vssadmin resize shadowstorage.*.*`)))
condition:
$selection1
}poetrat_pythonrat_uses_covid19_lure
Covid19 theme phishing document drop pyhton and execute malware by python License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule poetrat_pythonrat_uses_covid19_lure {
meta:
author = "Emir Erdogan"
description = "Covid19 theme phishing document drop pyhton and execute malware by python License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9l7TeSLJabOP"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1012, T1086"
events:
(re.regex($selection1.principal.process.file.full_path, `.*\\WINWORD\.exe`) and (re.regex($selection1.target.process.file.full_path, `.*\\cmd\.exe`) or re.regex($selection1.target.process.file.full_path, `.*\\powershell\.exe`)) and (re.regex($selection1.target.process.command_line, `.*/c copy .*.*\.docx .*\.rar && \"C:\\Program Files\\WinRAR\\winRar\.exe\" x -o\+ -ibck .*\.rar .*\.bat && start /b .*\.bat .*\.EXE MICROSOFT WORD`) or re.regex($selection1.target.process.command_line, `C:\\Programs\\Microsoft\\Office\\MSWord\.exe\\\.\.\\\.\.\\\.\.\\\.\..*\\powershell\.exe copy .*.*\.docx .*\.rar; & .*\\WinRAR\.exe x -ibck .*\.rar .*\.exe;Start-Sleep 5;start .*\.EXE MSW`)))
condition:
$selection1
}recon_successful_logon_enumeration_powershell_T1033_cisa_report
Detects the use of powershell to enumerate successful logins on a specific host
Show query
rule recon_successful_logon_enumeration_powershell_T1033_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects the use of powershell to enumerate successful logins on a specific host"
rule_id = "mr_db589a2e-0a06-46b5-8479-f8e120ec0405"
rule_name = "MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon"
tactic = "TA0007"
mitre_attack_technique = "T1033"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Info"
priority = "Info"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// cisa report referenced cmd /c and other wmic switches like /user and /password, these have been excluded to focus on the commands being issued since
// focused on event code 4624 but could be modified to look for other event codes if needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*Get-EventLog.*security.*-instanceid.*4624`) nocase
)
or
(
$process.metadata.event_type = "STATUS_UPDATE" and
re.regex($process.security_result.description, `Get-EventLog.*security.*-instanceid.*4624`) nocase
)
$process.principal.hostname = $hostname
match:
$hostname over 15m
outcome:
$risk_score = 15
$event_count = count_distinct($process.metadata.id)
$security_result_description = array_distinct($process.security_result.description)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}remote_system_discovery__ping_sweep
This rule detects an attempt to identify remote systems via ping sweep License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule remote_system_discovery__ping_sweep {
meta:
author = "Ariel Millahuel"
description = "This rule detects an attempt to identify remote systems via ping sweep License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/fctdvCuWhicV"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "discovery, T1018"
events:
($selection1.target.process.file.full_path = "ping.exe" and (re.regex($selection1.target.process.command_line, `.* for /l %i in \(1,1,254\) do ping -n 1 -w 100 192\.168\.1\.%i .*`) or re.regex($selection1.target.process.command_line, `.*for /l %i in \(1,1,254\) do ping -n 1 -w 100 .*\..*\..*\.%i.*`)) and ($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1"))
condition:
$selection1
}rig_ek_delivers_predator_the_thiefbot_ransomware
Rig EK Delivers Predator the thief&Bot Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule rig_ek_delivers_predator_the_thiefbot_ransomware {
meta:
author = "Emir Erdogan"
description = "Rig EK Delivers Predator the thief&Bot Ransomware License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/rOXcOaqX6q1R"
version = "0.01"
created = "2019/11/24"
product = "windows"
service = "sysmon"
mitre = "T1486, T1059"
events:
((((re.regex($selection1.target.process.file.full_path, `.*\\socks111atx\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\radD8D54\.tmp\.exe`)) or ($selection1.metadata.product_event_type = "1" and re.regex($selection1.target.process.file.full_path, `.*\\regsvr32\.exe`) and (re.regex($selection1.target.process.command_line, `.*\\D5F4\.tmp\.dll`) or re.regex($selection1.target.process.command_line, `.*\\CD2D\.tmp\.dll`)))) or (re.regex($selection1.target.process.command_line, `.*ping 127\.0\.0\.1 && del.*`) and re.regex($selection1.principal.process.file.full_path, `.*\\radD8D54\.tmp\.exe`))) and (re.regex($selection1.target.process.file.full_path, `.*\\notepad\.exe`) and re.regex($selection1.target.process.command_line, `.*\\FILES ENCRYPTED\.txt`)))
condition:
$selection1
}rule_1
Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
Show query
rule rule_1 {
meta:
author = "Google Cloud Security"
description = "Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under"
type = "hunt"
data_source = "microsoft sysmon, microsoft windows events"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "System Owner/User Discovery"
mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
mitre_attack_version = "v13.1"
platform = "Windows"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = "whoami"
outcome:
$risk_score = 10
$mitre_attack_tactic = "Discovery"
$mitre_attack_technique = "System Owner/User Discovery"
$mitre_attack_technique_id = "T1033"
// added to populate alert graph with additional context
$principal_hostname = $process.principal.hostname
$principal_process_pid = $process.principal.process.pid
$principal_process_command_line = $process.principal.process.command_line
$principal_process_file_sha256 = $process.principal.process.file.sha256
$principal_process_file_full_path = $process.principal.process.file.full_path
$principal_process_product_specific_process_id = $process.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $process.principal.process.parent_process
.product_specific_process_id
$target_process_pid = $process.target.process.pid
$target_process_command_line = $process.target.process.command_line
$target_process_file_sha256 = $process.target.process.file.sha256
$target_process_file_full_path = $process.target.process.file.full_path
$target_process_product_specific_process_id = $process.target.process.product_specific_process_id
$principal_user_userid = $process.principal.user.userid
condition:
$process
}rule_2
Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
Show query
rule rule_2 {
meta:
author = "Google Cloud Security"
description = "Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under"
type = "hunt"
data_source = "microsoft sysmon, microsoft windows events"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "System Owner/User Discovery"
mitre_attack_url = "https://attack.mitre.org/techniques/T1033/"
mitre_attack_version = "v13.1"
platform = "Windows"
severity = "Info"
priority = "Info"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = "whoami"
outcome:
$risk_score = 10
$mitre_attack_tactic = "Discovery"
$mitre_attack_technique = "System Owner/User Discovery"
$mitre_attack_technique_id = "T1033"
// added to populate alert graph with additional context
$principal_hostname = $process.principal.hostname
$principal_process_pid = $process.principal.process.pid
$principal_process_command_line = $process.principal.process.command_line
$principal_process_file_sha256 = $process.principal.process.file.sha256
$principal_process_file_full_path = $process.principal.process.file.full_path
$principal_process_product_specific_process_id = $process.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $process.principal.process.parent_process
.product_specific_process_id
$target_process_pid = $process.target.process.pid
$target_process_command_line = $process.target.process.command_line
$target_process_file_sha256 = $process.target.process.file.sha256
$target_process_file_full_path = $process.target.process.file.full_path
$target_process_product_specific_process_id = $process.target.process.product_specific_process_id
$principal_user_userid = $process.principal.user.userid
condition:
$process
}sap_netweaver_application_server_as_java_cve20206287_detection
It is a critical vulnerability in the LM Configuration Wizard component of the \"SAP NetWeaver Application Server (AS) Java\" platform, allowing unauthenticated users to run code. If it is successfully exploited, high authority users can be created, unlimited authority to SAP systems, commands can be run with SAP service user rights. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule sap_netweaver_application_server_as_java_cve20206287_detection {
meta:
author = "Furkan Celik"
description = "It is a critical vulnerability in the LM Configuration Wizard component of the \"SAP NetWeaver Application Server (AS) Java\" platform, allowing unauthenticated users to run code. If it is successfully exploited, high authority users can be created, unlimited authority to SAP systems, commands can be run with SAP service user rights. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/IpNtUupYw88W"
version = "0.01"
created = "2020/07/16"
product = "windows"
service = "sysmon"
mitre = "T1190, vulnerability_scanning, T1059, execution"
events:
($selection.metadata.product_event_type = "1" and ($selection.metadata.description = "7.31" or $selection.metadata.description = "7.4" or $selection.metadata.description = "7.3" or $selection.metadata.description = "7.5") and $selection.metadata.product_name = "SAP NetWeaver")
condition:
$selection
}signal_desktop_app_privilege_escalation
Detects Signal Desktop v1.29 app privilege escalation vulnerability. During the startup the application will execute the c:\\node_modules\\.bin\\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule signal_desktop_app_privilege_escalation {
meta:
author = "Halil Ibrahim Cosgun"
description = "Detects Signal Desktop v1.29 app privilege escalation vulnerability. During the startup the application will execute the c:\\node_modules\\.bin\\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/JxHcCHvtyUEG"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "Execution, Defense_Evasion, Persistence, Privilege_Escalation, T1218, T1036, T1044"
events:
(($selection1.metadata.product_event_type = "1" and re.regex($selection1.principal.process.file.full_path, `.*\\\\Signal\.exe`) and re.regex($selection1.target.process.command_line, `.*\\\\node_modules\\\\\.bin\\\\wmic\.exe`)) or ($selection1.metadata.product_event_type = "11" and re.regex($selection1.target.file.full_path, `.*\\\\node_modules\\\\\.bin\\\\wmic\.exe`)))
condition:
$selection1
}stop_ransomware_and_vidar_ransomware_detection
This rule detects the behavior of a combination between STOP Ransomware and Vidar Ransomware. Both threats are used in combination in order to steal information after a phishing attack was succesfully executed License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule stop_ransomware_and_vidar_ransomware_detection {
meta:
author = "Ariel Millahuel"
description = "This rule detects the behavior of a combination between STOP Ransomware and Vidar Ransomware. Both threats are used in combination in order to steal information after a phishing attack was succesfully executed License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eLntKUKd5pKY"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `/c taskkill /im 5\.exe /f & erase C:\\Users.*\\AppData\\Local\\Temp.*\\5\.exe & exit`) or re.regex($selection1.target.process.command_line, `/c taskkill /im .*\.exe /f & erase C:\\Users.*\\AppData\\Local\\Temp.*.*\.exe & exit`))) or ($selection1.target.process.file.full_path = "icacls.exe" and re.regex($selection1.target.process.command_line, `icacls C:\\Users.*\\AppData\\Local.*\\deny .*S-1-1-0:\(Ol\)\(Cl\)\(DE,DC\)`))))
condition:
$selection1
}suspicious_curl_usage
cURL is a command line browser, and often used by attackers to download malware. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_curl_usage {
meta:
author = "Emir Erdogan"
description = "cURL is a command line browser, and often used by attackers to download malware. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/NTrME73OyT8w"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1188, T1079, T1041"
events:
($selection.target.process.file.full_path = "C:\\Windows\\System32\\curl.exe" and $selection.principal.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and (re.regex($selection.target.process.command_line, `.*curl ftp.*`) or re.regex($selection.target.process.command_line, `.*curl --socks5 torproxy.*`) or re.regex($selection.target.process.command_line, `.*curl -F .*\.exe.*`) or re.regex($selection.target.process.command_line, `.*curl --dns-ipv4-addr.*`) or re.regex($selection.target.process.command_line, `.*curl --dns-interface eth1.*`) or re.regex($selection.target.process.command_line, `.*curl --resolve.*`) or re.regex($selection.target.process.command_line, `.*curl --header \"X-Application: BotClient\".*`)))
condition:
$selection
}suspicious_process_created_on_unusual_directories
Detect Suspicious Process on Unusual Directories License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_process_created_on_unusual_directories {
meta:
author = "Erdem Kucukmustafa"
description = "Detect Suspicious Process on Unusual Directories License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/lVgFe7QyLrys"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "Defense_Evasion, T1036"
events:
($selection.metadata.product_event_type = "1" and (re.regex($selection.target.process.file.full_path, `C:\\Windows\\Fonts.*`) or re.regex($selection.target.process.file.full_path, `.*\\htdocs.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Media.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\Public.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\system32\\config\\systemprofile.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\addins.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Debug.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\NetworkService.*`) or re.regex($selection.target.process.file.full_path, `C:\\Users\\Default.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\Help.*`) or re.regex($selection.target.process.file.full_path, `C:\\Intel\\Logs.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\repair.*`) or re.regex($selection.target.process.file.full_path, `C:\\PerfLogs.*`) or re.regex($selection.target.process.file.full_path, `C:\\$Recycle\.bin.*`) or re.regex($selection.target.process.file.full_path, `C:\\Windows\\security.*`) or re.regex($selection.target.process.file.full_path, `.*\\wwwroot.*`)))
condition:
$selection
}suspicious_scheduled_task
Detection of suspicious scheduled tasks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule suspicious_scheduled_task {
meta:
author = "Emir Erdogan"
description = "Detection of suspicious scheduled tasks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/1ULlEDq8oA0b"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1053, T1168"
events:
(re.regex($selection.target.process.command_line, `.*schtasks\.exe /create /sc MINUTE /tn SystemSoundsServices /tr \"regsvr32\.exe\".*`) or re.regex($selection.target.process.command_line, `.*/s /n /u /i:http:.*`))
condition:
$selection
}underminer_exploit_kit_delivers_malware
Underminer Exploit Kit Delivers Malware by using SSL Certificate Authority along with the SSL Subject of user.shorico.club License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule underminer_exploit_kit_delivers_malware {
meta:
author = "Emir Erdogan"
description = "Underminer Exploit Kit Delivers Malware by using SSL Certificate Authority along with the SSL Subject of user.shorico.club License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/2RbeLqD41k0l"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "persistence, t1050, T1189"
events:
(($selection1.target.process.file.full_path = "C:\\Windows\\System32\\regsvr32.exe" or $selection1.target.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" or re.regex($selection1.target.process.file.full_path, `.*powershell\.exe.*`)) and $selection1.principal.process.file.full_path = "C:\\Program Files\\Internet Explorer\\iexplore.exe" and re.regex($selection1.target.process.command_line, `.*6ke4ua62j0vmgeq6ld84ri257o\.sct.*`))
condition:
$selection1
}ursnif_trojan_detection_cmd_obfuscation
Most popular banking trojan which is called as ursnif uses obfuscated command prompt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule ursnif_trojan_detection_cmd_obfuscation {
meta:
author = "Emir Erdogan"
description = "Most popular banking trojan which is called as ursnif uses obfuscated command prompt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/phnp9PkFC7Zm"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1047, T1497, T1080, T1007, T1082, T1071, T1064, T1113, T1091, T1105, T1060, T1012, T1093, T1027, T1036"
events:
($selection.target.process.file.full_path = "C:\\Windows\\System32\\Rundll32.exe" and re.regex($selection.principal.process.file.full_path, `C:\\Windows\\System32\\cmd\.exe.*`) and re.regex($selection.target.process.command_line, `.*C:\\ProgramData\\ZyGHisczAWv\.dll,Dl^lRegi^sterSe^rver.*`))
condition:
$selection
}wastedlocker_ransomware_hunting_defense_evasion
This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule wastedlocker_ransomware_hunting_defense_evasion {
meta:
author = "Ariel Millahuel"
description = "This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/kNavqYGJrev8"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "defense_evasion, T1027.004, T1070.001"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and ((($selection1.target.process.file.full_path = "cvtres.exe" and re.regex($selection1.target.process.command_line, `.*cvtres\.exe /NOLOGO /READONLY /MACHINE:.* /OUT:C:\\Users.*\\AppData\\Local\\Temp\\RESF8F4\.tmp c:\\Users.*\\AppData\\Local\\Temp\\h4bie4kg\\CSC81E10858D57A44649763EE5728D5E87\.TMP.*`)) or ($selection1.target.process.file.full_path = "PsExec.exe.exe" and re.regex($selection1.target.process.command_line, `PsExec\.exe -s .* cmd /c for /F tokens=.* %1 in \('wevtutil\.exe el'\) DO wevtutil\.exe cl %1`))) or ($selection1.target.process.file.full_path = "csc.exe" and re.regex($selection1.target.process.command_line, `csc\.exe /noconfig /fullpaths @C:\\Users.*\\AppData\\Local\\Temp\\h4bie4kg\\h4bie4kg\.cmdline`))))
condition:
$selection1
}wastedlocker_ransomware_hunting_initial_access_and_compromise
This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule wastedlocker_ransomware_hunting_initial_access_and_compromise {
meta:
author = "Ariel Millahuel"
description = "This rule its part of Cisco Talos investigation about this ransomware, and includes a lot of ATT&CK techniques that i'll be writing in different rules. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/cexuKikgrGxH"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "initial_access, T1189"
events:
($selection1.target.process.file.full_path = "wscript.exe" and re.regex($selection1.target.process.command_line, `wscript\.exe C:\\Users.*\\AppData\\Local\\Temp\\Temp1_Chrome\.Update\.b343b0\.zip\\Chrome\.Update\.c9a747\.js`) and ($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1"))
condition:
$selection1
}A client made a web request to a potentially harmful file (ASIM Web Session schema)
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
Show query
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
| extend Extension=column_ifexists("Extension", "")
| where isnotempty(Extension)
| summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
EventCount=count()
by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
'This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br>
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
Show query
let threatCategory="Powershell";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
A host is potentially running a hacking tool (ASIM Web Session schema)
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSessio
Show query
let threatCategory="Hacking Tool";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
AD account with Don't Expire Password
'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected.
This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.
%%2089 resolves to "Don't Expire Password - Enabled".'
Show query
union isfuzzy=true
(
SecurityEvent
| where EventID == 4738
// 2089 value indicates the Don't Expire Password value has been set
| where UserAccountControl has "%%2089"
| extend Value_2089 = iff(UserAccountControl has "%%2089","'Don't Expire Password' - Enabled", "Not Changed")
// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.
| extend Value_2050 = iff(UserAccountControl has "%%2050","'Password Not Required' - Disabled", "Not Changed")
// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.
| extend Value_2082 = iff(UserAccountControl has "%%2082","'Password Not Required' - Enabled", "Not Changed")
| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid,
AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid
),
(
WindowsEvent
| where EventID == 4738 and EventData has '2089'
// 2089 value indicates the Don't Expire Password value has been set
| extend UserAccountControl = tostring(EventData.UserAccountControl)
| where UserAccountControl has "%%2089"
| extend Value_2089 = iff(UserAccountControl has "%%2089","'Don't Expire Password' - Enabled", "Not Changed")
// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.
| extend Value_2050 = iff(UserAccountControl has "%%2050","'Password Not Required' - Disabled", "Not Changed")
// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.
| extend Value_2082 = iff(UserAccountControl has "%%2082","'Password Not Required' - Enabled", "Not Changed")
| extend Activity="4738 - A user account was changed."
| extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend TargetSid = tostring(EventData.TargetSid)
| extend SubjectAccount = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend SubjectUserSid = tostring(EventData.SubjectUserSid)
| extend AccountType=case(SubjectAccount endswith "$" or SubjectUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(SubjectUserSid), "", "User")
| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), TargetSid,
AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName), SubjectUserSid = tostring(EventData.SubjectUserSid)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
ADFS DKM Master Key Export
'Identifies an export of the ADFS DKM Master Key from Active Directory.
References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/,
https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
https://github.com/Azure/Azure-Sentine
Show query
(union isfuzzy=true
(SecurityEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where ObjectServer == 'DS'
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
| extend timestamp = TimeGenerated, DeviceName = Computer
),
( WindowsEvent
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.
| where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed')
| extend ObjectServer = tostring(EventData.ObjectServer)
| where ObjectServer == 'DS'
| extend OperationType = tostring(EventData.OperationType)
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| extend ObjectType = tostring(EventData.ObjectType)
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| extend Properties = tostring(EventData.Properties)
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
| extend timestamp = TimeGenerated, DeviceName = Computer
),
(DeviceEvents
| where ActionType =~ "LdapSearch"
| where AdditionalFields.AttributeList contains "thumbnailPhoto"
| where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)
Account added and removed from privileged groups
'Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.'
Show query
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$";
let AC_Add =
(union isfuzzy=true
(SecurityEvent
// Event ID related to member addition.
| where EventID in (4728, 4732,4756)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData with * '"MemberName">' * '=' AccountAdded ",OU" *
| where isnotempty(AccountAdded)
| extend GroupAddedTo = TargetUserName, AddingAccount = Account
| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )
| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated
),
(WindowsEvent
// Event ID related to member addition.
| where EventID in (4728, 4732,4756)
| extend TargetSid = tostring(EventData.TargetSid)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData.MemberName with * '"MemberName">' * '=' AccountAdded ",OU" *
| where isnotempty(AccountAdded)
| extend TargetUserName = tostring(EventData.TargetUserName)
| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend GroupAddedTo = TargetUserName
| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )
| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated
)
);
let AC_Remove =
( union isfuzzy=true
(SecurityEvent
// Event IDs related to member removal.
| where EventID in (4729,4733,4757)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData with * '"MemberName">' * '=' AccountRemoved ",OU" *
| where isnotempty(AccountRemoved)
| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account
| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
RemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
),
(WindowsEvent
// Event IDs related to member removal.
| where EventID in (4729,4733,4757)
| extend TargetSid = tostring(EventData.TargetSid)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData.MemberName with * '"MemberName">' * '=' AccountRemoved ",OU" *
| where isnotempty(AccountRemoved)
| extend TargetUserName = tostring(EventData.TargetUserName)
| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend GroupRemovedFrom = TargetUserName
| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
| extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)
| extend TargetDomainName = tostring(EventData.TargetDomainName)
| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
RemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
));
AC_Add
| join kind = inner AC_Remove
on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount
| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)
| where DurationinSecondAfter_Removed > 0
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend RemovedAccountName = tostring(split(AccountRemoved, @"\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @"\")[0])
| extend RemovingAccountName = tostring(split(RemovingAccount, @"\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @"\")[0])
| project-away DomainIndex
Addition of a Temporary Access Pass to a Privileged Account
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
Review any TAP creations to ensure they wer
Show query
let admin_users = (IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles contains "admin" | summarize by tolower(AccountUPN)); AuditLogs | where OperationName =~ "Admin registered security info" | where ResultReason =~ "Admin registered temporary access pass method for user" | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName) | where tolower(TargetUserPrincipalName) in (admin_users) | extend TargetAadUserId = tostring(TargetResources[0].id) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1]) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
AdminSDHolder Modifications
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence.
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.
This query searches for the event id 5136 where the Object DN is AdminSDHolder.
Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
Show query
SecurityEvent | where EventID == 5136 and EventData contains "<Data Name=\"ObjectDN\">CN=AdminSDHolder,CN=System" | parse EventData with * 'ObjectDN">' ObjectDN "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) | extend Name = tostring(split(SubjectAccount, "\\")[1]), NTDomain = tostring(split(SubjectAccount, "\\")[0])
Anomalous Single Factor Signin
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
Show query
let known_locations = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | extend LocationDetail = strcat(Location, "-", LocationDetails.state) | summarize by LocationDetail); let known_asn = (SigninLogs | where TimeGenerated between(ago(7d)..ago(1d)) | where ResultType == 0 | summarize by AutonomousSystemNumber); SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where isempty(DeviceDetail.deviceId) | where AuthenticationRequirement == "singleFactorAuthentication" | extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail) | extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state) | extend LocationDetail = strcat(Location, "-", State) | extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser) | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations) | project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
Anomalous User Agent connection attempt
'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
Show query
let short_uaLength = 5;
let long_uaLength = 1000;
let c_threshold = 100;
W3CIISLog
// Exclude local IPs as these create noise
| where cIP !startswith "192.168." and cIP != "::1"
| where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
| extend csUserAgent_size = string_size(csUserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
| where ConnectionCount < c_threshold
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])
Anomalous login followed by Teams action
'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.
Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.
To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges).
Please note, if the initial logic of prevalence to find su
Show query
//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.
//The minimum number of countries that the account has been accessed from [default: 2]
let minimumCountries = 2;
//The delta (%) between the largest in-use IP and the smallest [default: 95]
let deltaThreshold = 95;
//The maximum (%) threshold that the country appears in login data [default: 10]
let countryPrevalenceThreshold = 10;
//The time to project forward after the last login activity [default: 60min]
let projectedEndTime = 60m;
let queryfrequency = 1d;
let queryperiod = 14d;
let aadFunc = (tableName: string) {
// Get successful signins to Teams
let signinData =
table(tableName)
| where TimeGenerated > ago(queryperiod)
| where AppDisplayName has "Teams" and ConditionalAccessStatus =~ "success"
| extend Country = tostring(todynamic(LocationDetails)['countryOrRegion'])
| where isnotempty(Country) and isnotempty(IPAddress);
// Calculate prevalence of countries
let countryPrevalence =
signinData
| summarize CountCountrySignin = count() by Country
| extend TotalSignin = toscalar(signinData | summarize count())
| extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;
// Count signins by user and IP address
let userIpSignin =
signinData
| summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;
// Calculate delta between the IP addresses with the most and minimum activity by user
let userIpDelta =
userIpSignin
| summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName
| extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;
// Collect Team operations the user account has performed within a time range of the suspicious signins
OfficeActivity
| where TimeGenerated > ago(queryfrequency)
| where Operation in~ ("TeamsAdminAction", "MemberAdded", "MemberRemoved", "MemberRoleChanged", "AppInstalled", "BotAddedToTeam")
| where not (Operation in~ ("MemberAdded", "MemberRemoved") and CommunicationType in~ ("GroupChat", "OneonOne")) // These events have been noisy and are related to initiaing chat conversation and not admin operations.
| project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation
| join kind = inner(
userIpDelta
// Check users with activity from distinct countries
| where DistinctCountries >= minimumCountries
// Check users with high IP delta
| where UserIPDelta >= deltaThreshold
// Add information about signins and countries
| join kind = leftouter userIpSignin on UserPrincipalName
| join kind = leftouter countryPrevalence on Country
// Check activity that comes from nonprevalent countries
| where CountryPrevalence < countryPrevalenceThreshold
| project
UserPrincipalName,
SuspiciousIP = IPAddress,
UserIPDelta,
SuspiciousSigninCountry = Country,
SuspiciousCountryPrevalence = CountryPrevalence,
EventTimes = ListSigninTimeGenerated
) on $left.UserId == $right.UserPrincipalName
// Check the signins occured 60 min before the Teams operations
| mv-expand SigninTimeGenerated = EventTimes
| extend SigninTimeGenerated = todatetime(SigninTimeGenerated)
| where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated
| summarize
ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack("Operation", tostring(Operation), "OperationTime", OperationTimeGenerated)))
by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
Anomaly Sign In Event from an IP
'Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts'
Show query
let LookBack = 1h; let Data = ( SigninLogs | where TimeGenerated >= ago(LookBack) | where parse_json(NetworkLocationDetails)[0].networkType != "trustedNamedLocation" // Excludes known tagged networks // Counts the number of sign in events in the last hour every 15 minutes by IP | make-series EventCounts = count() on TimeGenerated from ago(LookBack) to now() step 15m by IPAddress ); let AnomalyAlert = ( Data | extend (Anomalies, Score, Baseline) = series_decompose_anomalies(EventCounts,1.5,-1,'linefit') | mv-expand EventCounts,TimeGenerated,Anomalies to typeof(double),Baseline to typeof(long),Score to typeof(double) | where Anomalies > 0 ); AnomalyAlert | join kind = inner (SigninLogs | where TimeGenerated between (ago(LookBack) .. now()) | where parse_json(NetworkLocationDetails)[0].networkType != "trustedNamedLocation" | extend PasswordResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail) | summarize UserCount = dcount(UserPrincipalName), UserList = make_set(UserPrincipalName), AppName = make_set(AppDisplayName), PasswordResult = make_list(PasswordResult) by IPAddress) on IPAddress | where PasswordResult has "Correct Password" | where UserCount > 1 // looks for events targeting more than one user.
Application Gateway WAF - XSS Detection
'Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.
References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)'
Show query
let Threshold = 1; AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" | where action_s == "Matched" | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s | join kind = inner( AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" | where action_s == "Blocked" | parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score | where Blocked_Reason contains "XSS" and toint(TotalInboundScore) >=15 and toint(XSS_Score) >= 10 and toint(SQLI_Score) <= 5) on transactionId_g | extend Uri = strcat(hostname_s,requestUri_s) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore | where Total_TransactionId >= Threshold
Application ID URI Changed
'Detects changes to an Application ID URI.
Monitor these changes to make sure that they were authorized.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed'
Show query
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName has_any ("Update Application", "Update Service principal")
| where TargetResources has "AppIdentifierUri"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend mod_props = TargetResources[0].modifiedProperties
| extend TargetAppName = tostring(TargetResources[0].displayName)
| mv-expand mod_props
| where mod_props.displayName has "AppIdentifierUri"
| extend OldURI = tostring(mod_props.oldValue)
| extend NewURI = tostring(mod_props.newValue)
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress
Application Redirect URL Update
'Detects the redirect URL of an app being changed.
Applications associated with URLs not controlled by the organization can pose a security risk.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes'
Show query
AuditLogs
| where Category =~ "ApplicationManagement"
| where Result =~ "success"
| where OperationName =~ 'Update Application'
| where TargetResources has "AppAddress"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName =~ "AppAddress"
| extend Key = tostring(TargetResources_modifiedProperties.displayName)
| extend NewValue = TargetResources_modifiedProperties.newValue
| extend OldValue = TargetResources_modifiedProperties.oldValue
| where isnotempty(Key) and isnotempty(NewValue)
| project-reorder Key, NewValue, OldValue
| extend NewUrls = extract_all('"Address":([^,]*)', tostring(NewValue))
| extend OldUrls = extract_all('"Address":([^,]*)', tostring(OldValue))
| extend AddedUrls = set_difference(NewUrls, OldUrls)
| where array_length(AddedUrls) > 0
| extend UserAgent = iif(tostring(AdditionalDetails[0].key) == "User-Agent", tostring(AdditionalDetails[0].value), "")
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend AddedBy = iif(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)
| extend TargetAppName = tostring(TargetResources.displayName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, TargetAppName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, AddedUrls, AddedBy, UserAgent
Audit policy manipulation using auditpol utility
This detects attempts to manipulate audit policies using auditpol command.
This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.
The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it.
Refer to auditpol syntax: https://docs.microsoft.com/windows-serve
Show query
let timeframe = 1d;
let AccountAllowList = dynamic(['SYSTEM']);
let SubCategoryList = dynamic(["Logoff", "Account Lockout", "User Account Management", "Authorization Policy Change"]); // Add any Category in the list to be allowed or disallowed
let tokens = dynamic(["clear", "remove", "success:disable","failure:disable"]);
(union isfuzzy=true
(
SecurityEvent
| where TimeGenerated >= ago(timeframe)
//| where Process =~ "auditpol.exe"
| where CommandLine has_any (tokens)
| where AccountType !~ "Machine" and Account !in~ (AccountAllowList)
| parse CommandLine with * "/subcategory:" subcategorytoken
| extend SubCategory = tostring(split(subcategorytoken, "\"")[1]) , Toggle = tostring(split(subcategorytoken, "\"")[2])
| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion
| where Toggle !in~ ("/failure:disable", " /success:enable /failure:disable") // use this filter if required to exclude certain toggles
| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle
| extend timestamp = TimeGenerated, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, DeviceName = Computer
),
(
DeviceProcessEvents
| where TimeGenerated >= ago(timeframe)
// | where InitiatingProcessFileName =~ "auditpol.exe"
| where InitiatingProcessCommandLine has_any (tokens)
| where AccountName !in~ (AccountAllowList)
| parse InitiatingProcessCommandLine with * "/subcategory:" subcategorytoken
| extend SubCategory = tostring(split(subcategorytoken, "\"")[1]) , Toggle = tostring(split(subcategorytoken, "\"")[2])
| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion
| where Toggle !in~ ("/failure:disable", " /success:enable /failure:disable") // use this filter if required to exclude certain toggles
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
),
(
Event
| where TimeGenerated > ago(timeframe)
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
// | where OriginalFileName =~ "auditpol.exe"
| where CommandLine has_any (tokens)
| where User !in~ (AccountAllowList)
| parse CommandLine with * "/subcategory:" subcategorytoken
| extend SubCategory = tostring(split(subcategorytoken, "\"")[1]) , Toggle = tostring(split(subcategorytoken, "\"")[2])
| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion
| where Toggle !in~ ("/failure:disable", " /success:enable /failure:disable") // use this filter if required to exclude certain toggles
| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle
| extend timestamp = TimeGenerated, AccountName = tostring(split(User, @'\')[1]), AccountUPNSuffix = tostring(split(User, @'\')[0]), DeviceName = Computer
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)
Authentication Attempt from New Country
Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days.
Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-a
Show query
let CombinedSignInLogs = union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs;
// Combine AADNonInteractiveUserSignInLogs and SigninLogs into a single table
// Fetch Azure IP address ranges data from a JSON file hosted on GitHub
let AzureRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)
["https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json"] with(format='multijson')
// Load Azure IP address ranges from the JSON file hosted on GitHub
| mv-expand values
// Expand the values column into separate rows
| extend Name = values.name, AddressPrefixes = tostring(values.properties.addressPrefixes);
// Create additional columns for the name and address prefixes
// Identify known locations to be excluded from analysis
let ExcludedKnownLocations = CombinedSignInLogs
// Filter the combined logs based on the specified time range
| where TimeGenerated between (ago(14d)..ago(1d))
// Filter by specific ResultType
| where ResultType == 0
// Summarize the logs by location
| summarize by Location;
// Find sign-in locations matching specific criteria
let MatchedLocations = materialize(CombinedSignInLogs
// Filter the combined logs based on the specified time range
| where TimeGenerated > ago(1d)
// Exclude specific ResultTypes
| where ResultType !in (50126, 50053, 50074, 70044)
// Exclude known locations
| where Location !in (ExcludedKnownLocations));
// Match IP addresses of matched locations with Azure IP address ranges
let MatchedIPs = MatchedLocations
// Use the 'ipv4_lookup' function to match IP addresses with Azure IP address ranges
| evaluate ipv4_lookup(AzureRanges, IPAddress, AddressPrefixes)
// Project only the IPAddress column
| project IPAddress;
// Exclude IP addresses that are already matched with Azure IP address ranges
let MaxSetSize = 5; // Set the maximum size limit for make_set
let ExcludedIPs = MatchedLocations
// Filter out IP addresses that are already matched
| where not (IPAddress in (MatchedIPs))
// Exclude empty or null Location values
| where isnotempty(Location)
// Handle dynamic and string column values for LocationDetails and DeviceDetail
| extend LocationDetails_dynamic = column_ifexists("LocationDetails_dynamic", "")
| extend DeviceDetail_dynamic = column_ifexists("DeviceDetail_dynamic", "")
| extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))
| extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))
// Extract location details (city and state)
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend Place = strcat(City, " - ", State)
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend Result = strcat(tostring(ResultType), " - ", ResultDescription)
// Summarize the data based on UserPrincipalName, Location, and Category
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated),
make_set(Result, MaxSetSize), make_set(IPAddress, MaxSetSize),
make_set(UserAgent, MaxSetSize), make_set(Place, MaxSetSize),
make_set(DeviceId, MaxSetSize) by UserPrincipalName, Location, Category
// Extract the username prefix and suffix from UserPrincipalName
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]);
ExcludedIPs // Output the final result set
| extend IP = set_IPAddress[0]
Authentications of Privileged Accounts Outside of Expected Controls
'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.
Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure
Show query
let admin_users = (IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles contains "admin" | summarize by tolower(AccountUPN)); let admin_asn = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | summarize by AutonomousSystemNumber); let admin_locations = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | summarize by Location); let admin_devices = (SigninLogs | where TimeGenerated between (ago(7d)..ago(1d)) | where tolower(UserPrincipalName) in (admin_users) | extend deviceId = tostring(DeviceDetail.deviceId) | where isnotempty(deviceId) | summarize by deviceId); SigninLogs | where TimeGenerated > ago(1d) | where ResultType == 0 | where tolower(UserPrincipalName) in (admin_users) | extend deviceId = tostring(DeviceDetail.deviceId) | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)
Base64 encoded Windows process command-lines (Normalized Process Events)
'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
Show query
imProcessCreate | where CommandLine contains "TVqQAAMAAAAEAAA" | where isnotempty(Process) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) | project-away DomainIndex
Changes to Application Logout URL
'Detects changes to an applications sign out URL.
Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed'
Show query
AuditLogs
| where Category =~ "ApplicationManagement"
| where OperationName has_any ("Update Application", "Update Service principal")
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend mod_props = TargetResources[0].modifiedProperties
| mv-expand mod_props
| extend Action = tostring(mod_props.displayName)
| where Action contains "Url"
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend OldURL = tostring(mod_props.oldValue)
| extend NewURL = tostring(mod_props.newValue)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, UpdatedBy
Changes to Application Ownership
'Detects changes to the ownership of an appplicaiton.
Monitor these changes to make sure that they were authorized.
Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner'
Show query
AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add owner to application" | extend InitiatingAppName = tostring(InitiatedBy.app.displayName) | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId) | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend TargetUserPrincipalName = TargetResources[0].userPrincipalName | extend TargetAadUserId = tostring(TargetResources[0].id) | extend mod_props = TargetResources[0].modifiedProperties | mv-expand mod_props | where mod_props.displayName =~ "Application.DisplayName" | extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue))) | extend AddedUser = TargetUserPrincipalName | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy
Changes to PIM Settings
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
Show query
AuditLogs | where Category =~ "RoleManagement" | where OperationName =~ "Update role setting in PIM" | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatingAadUserId = tostring(InitiatedBy.user.id) | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress) | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]) | project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix
Showing 201-250 of 990