Moving hunting queries to MDE XDR solution

Solutions/Microsoft Defender XDR/Hunting Queries/Campaigns/Bazacall/PayloadDropUsingCertUtil.yaml

@@ -0,0 +1,20 @@
+id: 4d11f63f-5b64-416e-8d77-266e4c6d382e
+name: Dropping Payload via certutil
+description: |
+  BazaCall campaign tricks users into calling a fake customer support center, and download a malicious Excel file which contains a macro to infect users' device with BazaLoader. This query searches for a copy of certutil.exe used by the macro.
+description-detailed: |
+  BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.
+  This query hunts for an attacker-created copy of certutil.exe, a legitimate process, which the macro uses to download BazaLoader.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceFileEvents
+tactics:
+  - InitialAccess
+  - DefenseEvasion
+query: |
+  DeviceFileEvents
+  | where InitiatingProcessFileName !~ "certutil.exe"
+  | where InitiatingProcessFileName !~ "cmd.exe"
+  | where InitiatingProcessCommandLine has_all("-urlcache", "split", "http")
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Campaigns/Macaw Ransomware/ImminentRansomware.yaml

@@ -0,0 +1,41 @@
+id: 846bf25e-3d2d-4122-9b60-adfadd2fc616
+name: Imminent Ransomware
+description: |
+  Before deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
+description-detailed: |
+  This query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+tactics:
+  - DefenseEvasion
+query: |
+  DeviceProcessEvents 
+  // Pivot on specific commands 
+  | where ProcessCommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension", 
+  "-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup") 
+  // Making list of found commands 
+  | summarize ProcessCommandLine = make_set(ProcessCommandLine, 10000) by DeviceId, bin(TimeGenerated, 6h) 
+  // Extending columns for later aggregration, based on TTP 
+  | extend StartUpExclusionPath = iff(ProcessCommandLine has_all("-ExclusionPath", "Startup"), 1, 0) 
+  | extend DefenderTamp = iff(ProcessCommandLine has "Set-MpPreference" 
+  and ProcessCommandLine has_any( 
+  "-SevereThreatDefaultAction 6" 
+  "-HighThreatDefaultAction 6", 
+  "-ModerateThreatDefaultAction 6", 
+  "-LowThreatDefaultAction 6" 
+  "-ScanScheduleDay 8"), 1, 0) 
+  | extend NetshFirewallTampering = iff(ProcessCommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0) 
+  | extend BatExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".bat"), 1, 0) 
+  | extend ExeExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".exe"), 1, 0) 
+  | extend DisableControlledFolderAccess = iff(ProcessCommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0) 
+  | extend ScDeleteDefend = iff(ProcessCommandLine has_all("sc", "delete", "windefend"), 1, 0) 
+  | extend BootTampering = iff(ProcessCommandLine has_all("bcdedit", "default") and ProcessCommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0) 
+  | extend SchTasks = iff(ProcessCommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0) 
+  // Summarizing found commands 
+  | summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DeviceId, TimeGenerated 
+  // Adding up each piece of evidence 
+  | extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath 
+  | where EvidenceCount > 4
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Campaigns/RobbinhoodDriver.yaml

@@ -0,0 +1,26 @@
+id: 4713d763-122d-419c-bf6f-bdef111cd8e2
+name: Robbinhood Driver
+description: |
+  This query detects the presence of the Robbinhood ransomware driver.
+description-detailed: |
+  This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
+  Robbinhood is ransomware that has been involved in several high-profile incidents, including a 2019 attack on the city of Baltimore, Maryland. Robbinhood operators often employ a distinctive defense evasion technique, where they load a vulnerable driver on to a target and exploit it, in order to turn off security software -- essentially using the driver as malware.
+  The following query detects if a device contains the vulnerable drivers. These are often, but not always, implanted on the target by operators seeking to use this technique to turn off security software.
+  For a query that detects a later stage of this technique, see Detect security evasion related to the Robbinhood ransomware campaign.
+  References:
+  https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
+  https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Robinhood.A&ThreatID=2147735370
+  https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceFileEvents
+tactics:
+  - Execution
+  - DefenseEvasion
+query: |
+  DeviceFileEvents
+  | where TimeGenerated > ago(7d)
+  | where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8',
+  '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427')
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Campaigns/Snip3MaliciousNetworkConnectivity.yaml

@@ -0,0 +1,23 @@
+id: b3470e40-39ae-4c28-9282-440038f6f964
+name: Snip3 Malicious Network Connectivity
+description: | 
+  This hunting query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware.
+description-detailed: |
+  Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
+  The following query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware. This technique has been used in recent cases to exfiltrate data, including credentials.
+  The query may return additional malware or campaigns not necessarily associated with Snip3. However, Microsoft recommends triaging all non-benign results as potential malware.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceNetworkEvents
+tactics:
+  - CommandAndControl
+  - Exfiltration
+query: |
+  DeviceNetworkEvents 
+  | where InitiatingProcessFileName in~ ("RegSvcs.exe","RegAsm.exe", "InstallUtil.exe") 
+  | where InitiatingProcessCommandLine in~ ("\"RegAsm.exe\"","\"RegSvcs.exe\"","\"InstallUtil.exe\"") 
+  | where InitiatingProcessParentFileName endswith "powershell.exe" 
+    or InitiatingProcessParentFileName endswith "powershell_ise.exe" 
+    or InitiatingProcessParentFileName endswith "pwsh.exe"
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Campaigns/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml

@@ -0,0 +1,19 @@
+id: a18e8bcf-e05d-4e45-bc6e-2c5004729fbd
+name: Java Executing cmd to run Powershell
+description: |
+  This query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
+description-detailed: |
+  This query was originally published in the threat analytics report, Sysrv botnet evolution.
+  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
+  The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+    - DeviceProcessEvents
+tactics:
+  - Execution
+query: |
+  DeviceProcessEvents                         
+  | where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' 
+  and ProcessCommandLine has_all('powershell iex','DownloadString')
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Defense Evasion/ClearSystemLogs.yaml

@@ -0,0 +1,22 @@
+id: 6284b962-ab0d-46d8-a47f-1eb1ac1be463
+name: Clear System Logs
+description: | 
+  This hunting query searches for attempts to use fsutil.exe to clear system logs and delete forensic artifacts.
+description-detailed: |
+  This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
+  In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
+  The following query detects attempts to use fsutil.exe to clear system logs and delete forensic artifacts.
+  The See also section below lists more queries related to techniques shared by these campaigns.
+  Reference - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+tactics:
+  - DefenseEvasion
+query: |
+  DeviceProcessEvents
+  | where TimeGenerated > ago(7d)
+  | where FileName =~ "fsutil.exe"
+  and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml

@@ -0,0 +1,32 @@
+id: b1f8aac2-766d-47ec-8787-84bc7692ff77
+name: Regsvr32 Rundll32 Image Loads Abnormal Extension
+description: |
+  This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
+description-detailed: |
+  This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
+  Joins the data to public network events.
+  References:
+  https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+      - DeviceNetworkEvents
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1218.010
+  - T1218.011
+query: |
+  DeviceImageLoadEvents 
+  | where TimeGenerated > ago(1d)
+  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
+  | where FileName !endswith ".dll"
+  | join (
+  DeviceNetworkEvents
+  | where TimeGenerated > ago(30d)
+  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
+  | where RemoteIPType == "Public"
+  ) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
+  | project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml

@@ -0,0 +1,33 @@
+id: 54ea2379-28e7-48e1-8dfd-aaf8fb1331ba
+name: Regsvr32 Rundll32 with Anomalous Parent Process
+description: 
+  This query searches for rundll32.exe or regsvr32.exe being spawned by abnormal processes such as wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.
+description-detailed: |
+  This query looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.
+  Blog:
+  https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+      - DeviceNetworkEvents
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1218.010
+  - T1218.011
+query: |
+  DeviceProcessEvents
+  | where TimeGenerated > ago(30d)
+  | where FileName has_any ("rundll32.exe","regsvr32.exe")
+  | where InitiatingProcessFileName has_any ("wscript.exe","powershell.exe","cmd.exe","pwsh.exe","cscript.exe")
+  | project TimeGenerated,DeviceName, InvestigatedProcessName=FileName, InvestigatedProcessCommandLine = ProcessCommandLine,InvestigatedProcessStartTime = ProcessCreationTime, InvestigatedProcessId = ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
+  | join (
+  DeviceNetworkEvents
+  | where TimeGenerated > ago(30d)
+  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
+  | where RemoteIPType == "Public"
+  | project DeviceName, InvestigatedProcessName=InitiatingProcessFileName, InvestigatedProcessCommandLine = InitiatingProcessCommandLine,InvestigatedProcessStartTime = InitiatingProcessCreationTime, InvestigatedProcessId = InitiatingProcessId, RemoteIP, RemoteUrl
+  ) on DeviceName, InvestigatedProcessCommandLine, InvestigatedProcessId, InvestigatedProcessName, InvestigatedProcessStartTime
+  | project-away DeviceName1, InvestigatedProcessCommandLine1, InvestigatedProcessId1, InvestigatedProcessName1, InvestigatedProcessStartTime1
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml

@@ -1,5 +1,5 @@
 id: fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7
-name: detect-suspicious-commands-initiated-by-web-server-processes
+name: Detect Suspicious Commands Initiated by Webserver Processes
 description: | 
   Detect suspicious commands initiated by web server processes used for network discovery and user/owner discovery.
 description-detailed: |

Solutions/Microsoft Defender XDR/Hunting Queries/Discovery/User&GroupEnumWithNetCommand.yaml

@@ -0,0 +1,19 @@
+id: 29683151-e15d-4c0c-845b-892be89bf080
+name: Enumeration of Users & Groups for Lateral Movement
+description: |
+  This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement. 
+description-detailed: |
+  This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement.
+requiredDataConnectors: 
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+query: |
+  DeviceProcessEvents 
+  | where TimeGenerated > ago(7d) 
+  | where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\'  and ProcessCommandLine !contains '/add' 
+  | where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain') 
+  | extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target  != '' 
+  | project AccountName, Target, ProcessCommandLine, DeviceName, TimeGenerated  
+  | sort by AccountName, Target
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Execution/PotentialKerberoastActivities.yaml

@@ -0,0 +1,36 @@
+id: 35ca729c-04b4-4f6c-b383-caed1b85226e
+name: Detect Potential kerberoast Activities
+description: |
+  This query aim to detect if someone requests service tickets (where count => maxcount). The query requires trimming to set a baseline level for MaxCount.
+description-detailed: |
+  This query aim to detect if someone requests service tickets (where count => maxcount)
+  The query requires trimming to set a baseline level for MaxCount  
+  Mitre Technique: Kerberoasting (T1558.003)
+  @MattiasBorg82
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - IdentityLogonEvents
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T1558.003
+query: |
+  let MaxCount = 70; //Number of requests per 2 minute timeframe, depending on org size.
+  IdentityLogonEvents
+  | where TimeGenerated > ago(1d)
+  | where ActionType == "LogonSuccess"
+  | where Protocol == "Kerberos"
+  | extend json = todynamic(parse_json(tostring(AdditionalFields)))
+  | extend SPN = json.Spns,
+         AttackTechniques = json.AttackTechniques
+        | project-away json
+  | where isnotempty(SPN)
+  | where AttackTechniques has "T1558.003"
+  | mv-expand SPN
+          | extend SPNType = tostring(extract(@"^\w+",0,tostring(SPN)))
+  | distinct tostring(SPN),DeviceName,AccountUpn, AccountSid,bin(TimeGenerated,2m),ReportId, tostring(AttackTechniques)
+  | summarize count(), SPNS=(make_list(SPN, 100000)),ReportId=tostring((make_list(ReportId, 100000))[0]) by AccountUpn,AccountSid,DeviceName, bin(TimeGenerated, 2m), tostring(AttackTechniques)
+  | extend SPNS = (replace_regex(tostring(SPNS), @'[^\w+-\/]+', ''))
+  | where count_ >= MaxCount
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Execution/SuspiciousAppExeutedByWebserver.yaml

@@ -0,0 +1,21 @@
+id: 761230a3-71ad-4522-bfbc-1dca698ffc42
+name: Webserver Executing Suspicious Applications
+description: |
+  This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript).
+description-detailed: |
+  This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1 \ whoami \ ping \ ipconfig),or admin commands (sc).  Note that seeing thisactivity doesn't immediately mean you have a breach, though you might consider reviewing and honing the where clause to fit your specific web applications.
+  Those who don't mind false positives should consider also adding database process names to this list as well (i.e. sqlservr.exe) to identify potential abuse of xp_cmdshell.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+tactics:
+  - Execution
+query: |
+  DeviceProcessEvents
+  | where TimeGenerated > ago(7d)
+  | where InitiatingProcessFileName in~ ('w3wp.exe', 'httpd.exe') // 'sqlservr.exe')
+  | where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe')
+  | summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId 
+  | order by instances asc
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Exploits/Print Spooler RCE/SpoolsvSpawningRundll32.yaml

@@ -0,0 +1,20 @@
+id: 3cc2127f-d9ca-46a0-9628-89f702be82b3
+name: Spoolsv Spawning Rundll32
+description: |
+  Look for the spoolsv.exe launching rundll32.exe with an empty command line.
+description-detailed: |
+  Look for the spoolsv.exe launching rundll32.exe with an empty command line.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+tactics:
+  - PrivilegeEscalation
+  - Execution
+query: |
+  DeviceProcessEvents
+  | where InitiatingProcessParentFileName has "spoolsv.exe"
+  | where InitiatingProcessFileName =~ "rundll32.exe"
+  | where isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine endswith "rundll32.exe" //either commandline is empty or just "rundll32.exe"
+  | where FileName !in~ ("WerFault.exe")
+version: 1.0.0

Solutions/Microsoft Defender XDR/Hunting Queries/Exploits/SuspiciousFileCreationByPrintSpoolerService.yaml

@@ -0,0 +1,25 @@
+id: daa347a4-8251-43a7-9730-32f22aa741ab
+name: Windows Print Spooler Service Suspicious File Creation
+description: |
+  The query digs in Windows print spooler drivers folder for any file creations. This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999.
+description-detailed: |
+  The query digs in Windows print spooler drivers folder for any file creations,
+  MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Suspicious DLL is load from Spooler Service backup folder. 
+  This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceFileEvents
+tactics:
+  - PrivilegeEscalation
+  - LateralMovement
+relevantTechniques:
+  - T1574
+query: |
+  DeviceFileEvents
+  | where TimeGenerated > ago(7d)
+  | where ActionType == "FileCreated"
+  | where FileName endswith ".dll"
+  | where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\3\\"
+     or FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\4\\"
+version: 1.0.0