├── .gitignore
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE.md
├── README.md
├── Sysmon-OSSEM.txt
└── docs
    └── DEFCON_attacking_the_sentinel.pdf


/.gitignore:
--------------------------------------------------------------------------------
 1 | .terraform.tfstate.lock.info
 2 | terraform.tfstate
 3 | terraform.tfstate.backup
 4 | .terraform/
 5 | .terraform.lock.hcl
 6 | variables.tfvars
 7 | variables.txt
 8 | files/.DS_Store
 9 | .DS_Store
10 | Thumbs.db
11 | hunting/config.ini
12 | lab/files/create-ad.ps1
13 | lab/files/install-utilities.ps1


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | ## Code of Conduct
 2 | 
 3 | ### Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as
 6 | contributors and maintainers pledge to making participation in our project and
 7 | our community a harassment-free experience for everyone, regardless of age, body
 8 | size, disability, ethnicity, gender identity and expression, level of experience,
 9 | nationality, personal appearance, race, religion, or sexual identity and
10 | orientation.
11 | 
12 | ### Our Standards
13 | 
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 | 
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 | 
23 | Examples of unacceptable behavior by participants include:
24 | 
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 | advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 |   address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 |   professional setting
33 | 
34 | ### Our Responsibilities
35 | 
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 | 
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviors that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 | 
46 | ### Scope
47 | 
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 | 
55 | ### Enforcement
56 | 
57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
58 | reported by contacting the project team at netevert@protonmail.com. All
59 | complaints will be reviewed and investigated and will result in a response that
60 | is deemed necessary and appropriate to the circumstances. The project team is
61 | obligated to maintain confidentiality with regard to the reporter of an incident.
62 | Further details of specific enforcement policies may be posted separately.
63 | 
64 | Project maintainers who do not follow or enforce the Code of Conduct in good
65 | faith may face temporary or permanent repercussions as determined by other
66 | members of the project's leadership.
67 | 
68 | ### Attribution
69 | 
70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71 | available at [http://contributor-covenant.org/version/1/4][version]
72 | 
73 | [homepage]: http://contributor-covenant.org
74 | [version]: http://contributor-covenant.org/version/1/4/
75 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | When contributing to this repository, please first discuss the change you wish to make via issue,
 4 | email, or any other method with the owners of this repository before making a change. 
 5 | 
 6 | Please note we have a [code of conduct](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/CODE_OF_CONDUCT.md), please follow it in all your interactions with the project.
 7 | 
 8 | ## Pull Request Process
 9 | 
10 | 1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
11 |    build.
12 | 2. Update the README.md with details of changes to the interface, this includes new environment 
13 |    variables, exposed ports, useful file locations and container parameters.
14 | 3. Increase the version numbers in any examples files and the README.md to the new version that this
15 |    Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/).
16 | 4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you 
17 |    do not have permission to do that, you may request the second reviewer to merge it for you.
18 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019-2020 Edoardo Gerosa
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [![GitHub release](https://img.shields.io/github/v/release/netevert/sentinel-attack.svg?style=flat-square)](https://github.com/netevert/sentinel-attack/releases)
 2 | [![Maintenance](https://img.shields.io/maintenance/yes/2024.svg?style=flat-square)]()
 3 | [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
 4 | [![](https://img.shields.io/badge/2019-DEF%20CON%2027-blueviolet?style=flat-square)](https://2019.cloud-village.org/#talks?olafedoardo)
 5 | 
 6 | Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel.
 7 | 
 8 | It provides a [Sysmon log parser](https://github.com/netevert/sentinel-attack/blob/master/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/OTRF/OSSEM) data model and compatible with the [Sysmon Modular XML configuration file](https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml).
 9 | 
10 | **DISCLAIMER:** This tool requires tuning and investigative trialling to be truly effective in a production environment.
11 | 
12 | ### Usage
13 | To use the Sentinel-ATT&CK parser, copy-paste it into your Sentinel Logs blade and store it as a function named `Sysmon`.
14 | 
15 | A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found [here](https://2019.cloud-village.org/#talks?olafedoardo) and [here](https://github.com/netevert/sentinel-attack/blob/master/docs/DEFCON_attacking_the_sentinel.pdf).
16 | 
17 | ### Contributing
18 | This repository is work in progress, if you spot any problems we welcome pull requests or submissions on the issue tracker.
19 | 
20 | ### Authors and contributors
21 | Sentinel ATT&CK is built with ❤ by:
22 | - Edoardo Gerosa 
23 | [![Twitter Follow](https://img.shields.io/twitter/follow/edoardogerosa.svg?style=social)](https://twitter.com/edoardogerosa)
24 | 
25 | Special thanks go to the following contributors:
26 | 
27 | - Olaf Hartong
28 | [![Twitter Follow](https://img.shields.io/twitter/follow/olafhartong.svg?style=social)](https://twitter.com/olafhartong) 
29 | - Ashwin Patil
30 | [![Twitter Follow](https://img.shields.io/twitter/follow/ashwinpatil.svg?style=social)](https://twitter.com/ashwinpatil)
31 | - Mor Shabi
32 | [![Twitter Follow](https://img.shields.io/twitter/follow/Mor44574618.svg?style=social)](https://twitter.com/Mor44574618)
33 | - [Adrian Corona](https://github.com/temores)
34 | 


--------------------------------------------------------------------------------
/Sysmon-OSSEM.txt:
--------------------------------------------------------------------------------
  1 | // KQL Sysmon Event Parser compatible with OSSEM
  2 | // Original work by the Azure Sentinel team
  3 | // Maintained by Edoardo Gerosa
  4 | // OSSEM link > https://github.com/OTRF/OSSEM
  5 | //
  6 | // Notes:
  7 | // 1. This parser works with Sysmon v.15, it may need updates if Sysmon is updated.
  8 | // 2. technique_id and technique_name will only be parsed/available if deployed via the custom XML available here: https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml 
  9 | 
 10 | let EventData = SecurityEvent
 11 | | where EventSourceName == "Microsoft-Windows-Sysmon"
 12 | | project TimeGenerated, EventID, Computer, EventData
 13 | | extend EvData = parse_xml(EventData)
 14 | | extend EventDetail =  EvData.EventData.Data
 15 | | project-away EventData, EvData
 16 | ;
 17 | let SysmonEvent1_ProcessCreate=() {
 18 | let processEvents = EventData
 19 | | where EventID == 1
 20 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"], process_path = EventDetail.[4].["#text"], 
 21 | file_version = EventDetail.[5].["#text"], file_description = EventDetail.[6].["#text"], file_product = EventDetail.[7].["#text"], file_company = EventDetail.[8].["#text"], file_name = EventDetail.[9].["#text"], 
 22 | process_command_line = EventDetail.[10].["#text"], file_directory = EventDetail.[11].["#text"], user_name = EventDetail.[12].["#text"], user_logon_guid = EventDetail.[13].["#text"], 
 23 | user_logon_id = EventDetail.[14].["#text"], user_session_id = EventDetail.[15].["#text"], process_integrity_level = EventDetail.[16].["#text"], Hashes = EventDetail.[17].["#text"], 
 24 | process_parent_guid = EventDetail.[18].["#text"], process_parent_id = EventDetail.[19].["#text"], process_parent_path = EventDetail.[20].["#text"], process_parent_command_line = EventDetail.[21].["#text"]
 25 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
 26 | | parse Hashes with * "SHA1=" hash_sha1 "," * "MD5=" hash_md5 "," * "SHA256=" hash_sha256 "," * "IMPHASH=" hash_imphash
 27 | | project-away EventDetail, rule_name, Hashes
 28 | ;
 29 | processEvents;
 30 | };
 31 | let SysmonEvent2_FileCreateTime=() {
 32 | let processEvents = EventData
 33 | | where EventID == 2
 34 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"], process_path = EventDetail.[4].["#text"],
 35 | file_path = EventDetail.[5].["#text"], file_creation_time = EventDetail.[6].["#text"], file_previous_creation_time = EventDetail.[7].["#text"]
 36 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
 37 | | project-away EventDetail, rule_name
 38 | ;
 39 | processEvents;
 40 | };
 41 | let SysmonEvent3_NetworkConnect=() {
 42 | let processEvents = EventData
 43 | | where EventID == 3
 44 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"], process_path = EventDetail.[4].["#text"],
 45 | user_name = EventDetail.[5].["#text"], network_protocol = EventDetail.[6].["#text"], network_connection_initiated = EventDetail.[7].["#text"], src_is_ipv6 = EventDetail.[8].["#text"], src_ip = EventDetail.[9].["#text"], 
 46 | src_host_name = EventDetail.[10].["#text"], src_port = EventDetail.[11].["#text"], src_port_name = EventDetail.[12].["#text"], dst_is_ipv6 = EventDetail.[13].["#text"], 
 47 | dst_ip = EventDetail.[14].["#text"], dst_host_name = EventDetail.[15].["#text"], dst_port = EventDetail.[16].["#text"], dst_port_name = EventDetail.[17].["#text"]
 48 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name  
 49 | | project-away EventDetail, rule_name
 50 | ;
 51 | processEvents;
 52 | };
 53 | let SysmonEvent4_ServiceStateChange=() {
 54 | let processEvents = EventData
 55 | | where EventID == 4
 56 | | extend event_creation_time = EventDetail.[0].["#text"], service_state = EventDetail.[1].["#text"], sysmon_schema = EventDetail.[2].["#text"], sysmon_schema_version = EventDetail.[3].["#text"]
 57 | | project-away EventDetail
 58 | ;
 59 | processEvents;
 60 | };
 61 | let SysmonEvent5_ProcessTerminate=() {
 62 | let processEvents = EventData
 63 | | where EventID == 5
 64 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"], process_path = EventDetail.[4].["#text"]
 65 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
 66 | | project-away EventDetail, rule_name
 67 | ;
 68 | processEvents;
 69 | };
 70 | let SysmonEvent6_DriverLoad=() {
 71 | let processEvents = EventData
 72 | | where EventID == 6
 73 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_pathLoaded = EventDetail.[2].["#text"], Hashes = EventDetail.[3].["#text"],
 74 | driver_is_signed = EventDetail.[4].["#text"], driver_signature = EventDetail.[5].["#text"], driver_signature_status = EventDetail.[6].["#text"]
 75 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
 76 | | parse Hashes with * "SHA1=" hash_sha1 "," * "MD5=" hash_md5 "," * "SHA256=" hash_sha256 "," * "IMPHASH=" hash_imphash
 77 | | project-away EventDetail, rule_name
 78 | ;
 79 | processEvents;
 80 | };
 81 | let SysmonEvent7_ImageLoad=() {
 82 | let processEvents = EventData
 83 | | where EventID == 7
 84 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"], process_path = EventDetail.[4].["#text"],
 85 | module_loaded = EventDetail.[5].["#text"], file_version = EventDetail.[6].["#text"],file_description = EventDetail.[7].["#text"], file_product = EventDetail.[8].["#text"], file_company = EventDetail.[9].["#text"],
 86 | Hashes = EventDetail.[11].["#text"], module_is_signed = EventDetail.[12].["#text"], module_signature = EventDetail.[13].["#text"], module_signature_status = EventDetail.[14].["#text"]
 87 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
 88 | | parse Hashes with * "SHA1=" hash_sha1 "," * "MD5=" hash_md5 "," * "SHA256=" hash_sha256 "," * "IMPHASH=" hash_imphash
 89 | | project-away EventDetail, rule_name
 90 | ;
 91 | processEvents;
 92 | };
 93 | let SysmonEvent8_CreateRemoteThread=() {
 94 | let processEvents = EventData
 95 | | where EventID == 8
 96 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"],
 97 | process_path = EventDetail.[4].["#text"], target_process_guid = EventDetail.[5].["#text"], target_process_id = EventDetail.[6].["#text"], target_process_path = EventDetail.[7].["#text"],
 98 | thread_new_id = EventDetail.[8].["#text"], thread_start_address = EventDetail.[9].["#text"], thread_start_module = EventDetail.[10].["#text"], thread_start_function = EventDetail.[11].["#text"]
 99 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
100 | | project-away EventDetail, rule_name
101 | ;
102 | processEvents;
103 | };
104 | let SysmonEvent9_RawAccessRead=() {
105 | let processEvents = EventData
106 | | where EventID == 9
107 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"], process_path = EventDetail.[4].["#text"], target_device = EventDetail.[5].["#text"]
108 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
109 | | project-away EventDetail, rule_name
110 | ;
111 | processEvents;
112 | };
113 | let SysmonEvent10_ProcessAccess=() {
114 | let processEvents = EventData
115 | | where EventID == 10
116 | | extend rule_name = EventDetail.[0].["#text"],UtcTime = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"],
117 | thread_id = EventDetail.[4].["#text"],process_path = EventDetail.[5].["#text"], target_process_guid = EventDetail.[6].["#text"], target_process_id = EventDetail.[7].["#text"],
118 | target_process_path = EventDetail.[8].["#text"],process_granted_access = EventDetail.[9].["#text"], process_call_trace = EventDetail.[10].["#text"]
119 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
120 | | project-away EventDetail, rule_name
121 | ;
122 | processEvents;
123 | };
124 | let SysmonEvent11_FileCreate=() {
125 | let processEvents = EventData
126 | | where EventID == 11
127 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"],
128 | process_path = EventDetail.[4].["#text"], file_name = EventDetail.[5].["#text"], file_creation_time = EventDetail.[6].["#text"]
129 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
130 | | project-away EventDetail, rule_name
131 | ;
132 | processEvents;
133 | };
134 | let SysmonEvent12_RegistryObjectAddDel=() {
135 | let processEvents = EventData
136 | | where EventID == 12
137 | | extend rule_name = EventDetail.[0].["#text"], EventType = EventDetail.[1].["#text"], event_creation_time = EventDetail.[2].["#text"], process_guid = EventDetail.[3].["#text"],
138 | process_id = EventDetail.[4].["#text"],process_path = EventDetail.[5].["#text"],registry_key_path = EventDetail.[6].["#text"]
139 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
140 | | project-away EventDetail, rule_name
141 | ;
142 | processEvents;
143 | };
144 | let SysmonEvent13_RegistrySetValue=() {
145 | let processEvents = EventData
146 | | where EventID == 13
147 | | extend rule_name = EventDetail.[0].["#text"], EventType = EventDetail.[1].["#text"], event_creation_time = EventDetail.[2].["#text"], process_guid = EventDetail.[3].["#text"],
148 | process_id = EventDetail.[4].["#text"],process_path = EventDetail.[5].["#text"],registry_key_path = EventDetail.[6].["#text"],registry_key_details = EventDetail.[7].["#text"]
149 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
150 | | project-away EventDetail, rule_name
151 | ;
152 | processEvents;
153 | };
154 | let SysmonEvent14_RegistryObjectRename=() {
155 | let processEvents = EventData
156 | | where EventID == 14
157 | | extend rule_name = EventDetail.[0].["#text"], EventType = EventDetail.[1].["#text"], event_creation_time = EventDetail.[2].["#text"], process_guid = EventDetail.[3].["#text"],
158 | process_id = EventDetail.[4].["#text"],process_path = EventDetail.[5].["#text"],registry_key_path = EventDetail.[6].["#text"],registry_key_new_name = EventDetail.[7].["#text"]
159 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
160 | | project-away EventDetail, rule_name
161 | ;
162 | processEvents;
163 | };
164 | let SysmonEvent15_FileCreateStreamHash=() {
165 | let processEvents = EventData
166 | | where EventID == 15
167 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"],
168 | process_path = EventDetail.[4].["#text"],file_name = EventDetail.[5].["#text"],file_creation_time = EventDetail.[6].["#text"],hash = EventDetail.[7].["#text"]
169 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
170 | | project-away EventDetail, rule_name
171 | ;
172 | processEvents;
173 | };
174 | let SysmonEvent16_ConfigChange=() {
175 | let processEvents = EventData
176 | | where EventID == 16
177 | | extend event_creation_time = EventDetail.[0].["#text"], sysmon_configuration = EventDetail.[1].["#text"], sysmon_configuration_hash = EventDetail.[2].["#text"]
178 | | project-away EventDetail
179 | ;
180 | processEvents;
181 | };
182 | let SysmonEvent17_CreateNamedPipe=() {
183 | let processEvents = EventData
184 | | where EventID == 17
185 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[2].["#text"], process_guid = EventDetail.[3].["#text"], process_id = EventDetail.[4].["#text"], pipe_name = EventDetail.[5].["#text"],
186 | process_path = EventDetail.[6].["#text"]
187 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
188 | | project-away EventDetail, rule_name
189 | ;
190 | processEvents;
191 | };
192 | let SysmonEvent18_ConnectNamedPipe=() {
193 | let processEvents = EventData
194 | | where EventID == 18
195 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[2].["#text"], process_guid = EventDetail.[3].["#text"], process_id = EventDetail.[4].["#text"], pipe_name = EventDetail.[5].["#text"],
196 | process_path = EventDetail.[6].["#text"]
197 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
198 | | project-away EventDetail, rule_name
199 | ;
200 | processEvents;
201 | };
202 | let SysmonEvent19_WMIEventFilter=() {
203 | let processEvents = EventData
204 | | where EventID == 19
205 | | extend rule_name = EventDetail.[0].["#text"], EventType = EventDetail.[1].["#text"], event_creation_time = EventDetail.[2].["#text"], wmi_operation = EventDetail.[3].["#text"],
206 | user_name = EventDetail.[4].["#text"],wmi_namespace = EventDetail.[5].["#text"],wmi_filter_name = EventDetail.[6].["#text"],wmi_query = EventDetail.[7].["#text"]
207 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
208 | | project-away EventDetail, rule_name
209 | ;
210 | processEvents;
211 | };
212 | let SysmonEvent20_WMIEventConsumer=() {
213 | let processEvents = EventData
214 | | where EventID == 20
215 | | extend rule_name = EventDetail.[0].["#text"], EventType = EventDetail.[1].["#text"], event_creation_time = EventDetail.[2].["#text"], wmi_operation = EventDetail.[3].["#text"],
216 | user_name = EventDetail.[4].["#text"],wmi_consumer_name = EventDetail.[5].["#text"],wmi_consumer_type = EventDetail.[6].["#text"],wmi_consumer_destination = EventDetail.[7].["#text"]
217 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
218 | | project-away EventDetail, rule_name
219 | ;
220 | processEvents;
221 | };
222 | let SysmonEvent21_WMIEventConsumerToFilter=() {
223 | let processEvents = EventData
224 | | where EventID == 21
225 | | extend rule_name = EventDetail.[0].["#text"], EventType = EventDetail.[1].["#text"], event_creation_time = EventDetail.[2].["#text"], wmi_operation = EventDetail.[3].["#text"],
226 | user_name = EventDetail.[4].["#text"],wmi_consumer_path = EventDetail.[5].["#text"],Type = EventDetail.[6].["#text"],wmi_filter_path = EventDetail.[7].["#text"]
227 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
228 | | project-away EventDetail, rule_name
229 | ;
230 | processEvents;
231 | };
232 | let SysmonEvent22_DNSEvents=() {
233 | let processEvents = EventData
234 | | where EventID == 22
235 | | extend rule_name = EventDetail.[0].["#text"], event_creation_time = EventDetail.[1].["#text"], process_guid = EventDetail.[2].["#text"], process_id = EventDetail.[3].["#text"],
236 | dns_query_name = EventDetail.[4].["#text"],dns_query_status = EventDetail.[5].["#text"],dns_query_results = EventDetail.[6].["#text"],process_path = EventDetail.[7].["#text"]
237 | | parse rule_name with "technique_id=" technique_id ",technique_name=" technique_name
238 | | project-away EventDetail, rule_name
239 | ;
240 | processEvents;
241 | };
242 | (union isfuzzy=true
243 | SysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,
244 | SysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,
245 | SysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent13_RegistrySetValue,SysmonEvent14_RegistryObjectRename,
246 | SysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,
247 | SysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)


--------------------------------------------------------------------------------
/docs/DEFCON_attacking_the_sentinel.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netevert/sentinel-attack/979fb468cd0b0fed01e1328cd95da8b99cde78b1/docs/DEFCON_attacking_the_sentinel.pdf


--------------------------------------------------------------------------------