-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Moving hunting queries to MDE XDR solution
- Loading branch information
Showing
24 changed files
with
671 additions
and
1 deletion.
There are no files selected for viewing
20 changes: 20 additions & 0 deletions
20
...s/Microsoft Defender XDR/Hunting Queries/Campaigns/Bazacall/PayloadDropUsingCertUtil.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
id: 4d11f63f-5b64-416e-8d77-266e4c6d382e | ||
name: Dropping Payload via certutil | ||
description: | | ||
BazaCall campaign tricks users into calling a fake customer support center, and download a malicious Excel file which contains a macro to infect users' device with BazaLoader. This query searches for a copy of certutil.exe used by the macro. | ||
description-detailed: | | ||
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader. | ||
This query hunts for an attacker-created copy of certutil.exe, a legitimate process, which the macro uses to download BazaLoader. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceFileEvents | ||
tactics: | ||
- InitialAccess | ||
- DefenseEvasion | ||
query: | | ||
DeviceFileEvents | ||
| where InitiatingProcessFileName !~ "certutil.exe" | ||
| where InitiatingProcessFileName !~ "cmd.exe" | ||
| where InitiatingProcessCommandLine has_all("-urlcache", "split", "http") | ||
version: 1.0.0 |
41 changes: 41 additions & 0 deletions
41
...Microsoft Defender XDR/Hunting Queries/Campaigns/Macaw Ransomware/ImminentRansomware.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
id: 846bf25e-3d2d-4122-9b60-adfadd2fc616 | ||
name: Imminent Ransomware | ||
description: | | ||
Before deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools. | ||
description-detailed: | | ||
This query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
tactics: | ||
- DefenseEvasion | ||
query: | | ||
DeviceProcessEvents | ||
// Pivot on specific commands | ||
| where ProcessCommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension", | ||
"-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup") | ||
// Making list of found commands | ||
| summarize ProcessCommandLine = make_set(ProcessCommandLine, 10000) by DeviceId, bin(TimeGenerated, 6h) | ||
// Extending columns for later aggregration, based on TTP | ||
| extend StartUpExclusionPath = iff(ProcessCommandLine has_all("-ExclusionPath", "Startup"), 1, 0) | ||
| extend DefenderTamp = iff(ProcessCommandLine has "Set-MpPreference" | ||
and ProcessCommandLine has_any( | ||
"-SevereThreatDefaultAction 6" | ||
"-HighThreatDefaultAction 6", | ||
"-ModerateThreatDefaultAction 6", | ||
"-LowThreatDefaultAction 6" | ||
"-ScanScheduleDay 8"), 1, 0) | ||
| extend NetshFirewallTampering = iff(ProcessCommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0) | ||
| extend BatExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".bat"), 1, 0) | ||
| extend ExeExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".exe"), 1, 0) | ||
| extend DisableControlledFolderAccess = iff(ProcessCommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0) | ||
| extend ScDeleteDefend = iff(ProcessCommandLine has_all("sc", "delete", "windefend"), 1, 0) | ||
| extend BootTampering = iff(ProcessCommandLine has_all("bcdedit", "default") and ProcessCommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0) | ||
| extend SchTasks = iff(ProcessCommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0) | ||
// Summarizing found commands | ||
| summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DeviceId, TimeGenerated | ||
// Adding up each piece of evidence | ||
| extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath | ||
| where EvidenceCount > 4 | ||
version: 1.0.0 |
26 changes: 26 additions & 0 deletions
26
Solutions/Microsoft Defender XDR/Hunting Queries/Campaigns/RobbinhoodDriver.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
id: 4713d763-122d-419c-bf6f-bdef111cd8e2 | ||
name: Robbinhood Driver | ||
description: | | ||
This query detects the presence of the Robbinhood ransomware driver. | ||
description-detailed: | | ||
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. | ||
Robbinhood is ransomware that has been involved in several high-profile incidents, including a 2019 attack on the city of Baltimore, Maryland. Robbinhood operators often employ a distinctive defense evasion technique, where they load a vulnerable driver on to a target and exploit it, in order to turn off security software -- essentially using the driver as malware. | ||
The following query detects if a device contains the vulnerable drivers. These are often, but not always, implanted on the target by operators seeking to use this technique to turn off security software. | ||
For a query that detects a later stage of this technique, see Detect security evasion related to the Robbinhood ransomware campaign. | ||
References: | ||
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ | ||
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Robinhood.A&ThreatID=2147735370 | ||
https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceFileEvents | ||
tactics: | ||
- Execution | ||
- DefenseEvasion | ||
query: | | ||
DeviceFileEvents | ||
| where TimeGenerated > ago(7d) | ||
| where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8', | ||
'31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427') | ||
version: 1.0.0 |
23 changes: 23 additions & 0 deletions
23
...s/Microsoft Defender XDR/Hunting Queries/Campaigns/Snip3MaliciousNetworkConnectivity.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
id: b3470e40-39ae-4c28-9282-440038f6f964 | ||
name: Snip3 Malicious Network Connectivity | ||
description: | | ||
This hunting query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware. | ||
description-detailed: | | ||
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. | ||
The following query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware. This technique has been used in recent cases to exfiltrate data, including credentials. | ||
The query may return additional malware or campaigns not necessarily associated with Snip3. However, Microsoft recommends triaging all non-benign results as potential malware. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceNetworkEvents | ||
tactics: | ||
- CommandAndControl | ||
- Exfiltration | ||
query: | | ||
DeviceNetworkEvents | ||
| where InitiatingProcessFileName in~ ("RegSvcs.exe","RegAsm.exe", "InstallUtil.exe") | ||
| where InitiatingProcessCommandLine in~ ("\"RegAsm.exe\"","\"RegSvcs.exe\"","\"InstallUtil.exe\"") | ||
| where InitiatingProcessParentFileName endswith "powershell.exe" | ||
or InitiatingProcessParentFileName endswith "powershell_ise.exe" | ||
or InitiatingProcessParentFileName endswith "pwsh.exe" | ||
version: 1.0.0 |
19 changes: 19 additions & 0 deletions
19
...soft Defender XDR/Hunting Queries/Campaigns/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
id: a18e8bcf-e05d-4e45-bc6e-2c5004729fbd | ||
name: Java Executing cmd to run Powershell | ||
description: | | ||
This query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script. | ||
description-detailed: | | ||
This query was originally published in the threat analytics report, Sysrv botnet evolution. | ||
Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. | ||
The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
tactics: | ||
- Execution | ||
query: | | ||
DeviceProcessEvents | ||
| where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' | ||
and ProcessCommandLine has_all('powershell iex','DownloadString') | ||
version: 1.0.0 |
22 changes: 22 additions & 0 deletions
22
Solutions/Microsoft Defender XDR/Hunting Queries/Defense Evasion/ClearSystemLogs.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
id: 6284b962-ab0d-46d8-a47f-1eb1ac1be463 | ||
name: Clear System Logs | ||
description: | | ||
This hunting query searches for attempts to use fsutil.exe to clear system logs and delete forensic artifacts. | ||
description-detailed: | | ||
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. | ||
In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. | ||
The following query detects attempts to use fsutil.exe to clear system logs and delete forensic artifacts. | ||
The See also section below lists more queries related to techniques shared by these campaigns. | ||
Reference - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
tactics: | ||
- DefenseEvasion | ||
query: | | ||
DeviceProcessEvents | ||
| where TimeGenerated > ago(7d) | ||
| where FileName =~ "fsutil.exe" | ||
and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" | ||
version: 1.0.0 |
32 changes: 32 additions & 0 deletions
32
...nder XDR/Hunting Queries/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
id: b1f8aac2-766d-47ec-8787-84bc7692ff77 | ||
name: Regsvr32 Rundll32 Image Loads Abnormal Extension | ||
description: | | ||
This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. | ||
description-detailed: | | ||
This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. | ||
Joins the data to public network events. | ||
References: | ||
https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/ | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
- DeviceNetworkEvents | ||
tactics: | ||
- DefenseEvasion | ||
relevantTechniques: | ||
- T1218.010 | ||
- T1218.011 | ||
query: | | ||
DeviceImageLoadEvents | ||
| where TimeGenerated > ago(1d) | ||
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe") | ||
| where FileName !endswith ".dll" | ||
| join ( | ||
DeviceNetworkEvents | ||
| where TimeGenerated > ago(30d) | ||
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe") | ||
| where RemoteIPType == "Public" | ||
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine | ||
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName | ||
version: 1.0.0 |
33 changes: 33 additions & 0 deletions
33
...ender XDR/Hunting Queries/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
id: 54ea2379-28e7-48e1-8dfd-aaf8fb1331ba | ||
name: Regsvr32 Rundll32 with Anomalous Parent Process | ||
description: | ||
This query searches for rundll32.exe or regsvr32.exe being spawned by abnormal processes such as wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. | ||
description-detailed: | | ||
This query looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. | ||
Blog: | ||
https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/ | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
- DeviceNetworkEvents | ||
tactics: | ||
- DefenseEvasion | ||
relevantTechniques: | ||
- T1218.010 | ||
- T1218.011 | ||
query: | | ||
DeviceProcessEvents | ||
| where TimeGenerated > ago(30d) | ||
| where FileName has_any ("rundll32.exe","regsvr32.exe") | ||
| where InitiatingProcessFileName has_any ("wscript.exe","powershell.exe","cmd.exe","pwsh.exe","cscript.exe") | ||
| project TimeGenerated,DeviceName, InvestigatedProcessName=FileName, InvestigatedProcessCommandLine = ProcessCommandLine,InvestigatedProcessStartTime = ProcessCreationTime, InvestigatedProcessId = ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName | ||
| join ( | ||
DeviceNetworkEvents | ||
| where TimeGenerated > ago(30d) | ||
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe") | ||
| where RemoteIPType == "Public" | ||
| project DeviceName, InvestigatedProcessName=InitiatingProcessFileName, InvestigatedProcessCommandLine = InitiatingProcessCommandLine,InvestigatedProcessStartTime = InitiatingProcessCreationTime, InvestigatedProcessId = InitiatingProcessId, RemoteIP, RemoteUrl | ||
) on DeviceName, InvestigatedProcessCommandLine, InvestigatedProcessId, InvestigatedProcessName, InvestigatedProcessStartTime | ||
| project-away DeviceName1, InvestigatedProcessCommandLine1, InvestigatedProcessId1, InvestigatedProcessName1, InvestigatedProcessStartTime1 | ||
version: 1.0.0 |
2 changes: 1 addition & 1 deletion
2
... Defender XDR/Hunting Queries/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
Solutions/Microsoft Defender XDR/Hunting Queries/Discovery/User&GroupEnumWithNetCommand.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
id: 29683151-e15d-4c0c-845b-892be89bf080 | ||
name: Enumeration of Users & Groups for Lateral Movement | ||
description: | | ||
This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement. | ||
description-detailed: | | ||
This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
query: | | ||
DeviceProcessEvents | ||
| where TimeGenerated > ago(7d) | ||
| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add' | ||
| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain') | ||
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target != '' | ||
| project AccountName, Target, ProcessCommandLine, DeviceName, TimeGenerated | ||
| sort by AccountName, Target | ||
version: 1.0.0 |
36 changes: 36 additions & 0 deletions
36
...tions/Microsoft Defender XDR/Hunting Queries/Execution/PotentialKerberoastActivities.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
id: 35ca729c-04b4-4f6c-b383-caed1b85226e | ||
name: Detect Potential kerberoast Activities | ||
description: | | ||
This query aim to detect if someone requests service tickets (where count => maxcount). The query requires trimming to set a baseline level for MaxCount. | ||
description-detailed: | | ||
This query aim to detect if someone requests service tickets (where count => maxcount) | ||
The query requires trimming to set a baseline level for MaxCount | ||
Mitre Technique: Kerberoasting (T1558.003) | ||
@MattiasBorg82 | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- IdentityLogonEvents | ||
tactics: | ||
- LateralMovement | ||
relevantTechniques: | ||
- T1558.003 | ||
query: | | ||
let MaxCount = 70; //Number of requests per 2 minute timeframe, depending on org size. | ||
IdentityLogonEvents | ||
| where TimeGenerated > ago(1d) | ||
| where ActionType == "LogonSuccess" | ||
| where Protocol == "Kerberos" | ||
| extend json = todynamic(parse_json(tostring(AdditionalFields))) | ||
| extend SPN = json.Spns, | ||
AttackTechniques = json.AttackTechniques | ||
| project-away json | ||
| where isnotempty(SPN) | ||
| where AttackTechniques has "T1558.003" | ||
| mv-expand SPN | ||
| extend SPNType = tostring(extract(@"^\w+",0,tostring(SPN))) | ||
| distinct tostring(SPN),DeviceName,AccountUpn, AccountSid,bin(TimeGenerated,2m),ReportId, tostring(AttackTechniques) | ||
| summarize count(), SPNS=(make_list(SPN, 100000)),ReportId=tostring((make_list(ReportId, 100000))[0]) by AccountUpn,AccountSid,DeviceName, bin(TimeGenerated, 2m), tostring(AttackTechniques) | ||
| extend SPNS = (replace_regex(tostring(SPNS), @'[^\w+-\/]+', '')) | ||
| where count_ >= MaxCount | ||
version: 1.0.0 |
21 changes: 21 additions & 0 deletions
21
...ons/Microsoft Defender XDR/Hunting Queries/Execution/SuspiciousAppExeutedByWebserver.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
id: 761230a3-71ad-4522-bfbc-1dca698ffc42 | ||
name: Webserver Executing Suspicious Applications | ||
description: | | ||
This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript). | ||
description-detailed: | | ||
This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1 \ whoami \ ping \ ipconfig),or admin commands (sc). Note that seeing thisactivity doesn't immediately mean you have a breach, though you might consider reviewing and honing the where clause to fit your specific web applications. | ||
Those who don't mind false positives should consider also adding database process names to this list as well (i.e. sqlservr.exe) to identify potential abuse of xp_cmdshell. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
tactics: | ||
- Execution | ||
query: | | ||
DeviceProcessEvents | ||
| where TimeGenerated > ago(7d) | ||
| where InitiatingProcessFileName in~ ('w3wp.exe', 'httpd.exe') // 'sqlservr.exe') | ||
| where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe') | ||
| summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId | ||
| order by instances asc | ||
version: 1.0.0 |
20 changes: 20 additions & 0 deletions
20
...soft Defender XDR/Hunting Queries/Exploits/Print Spooler RCE/SpoolsvSpawningRundll32.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
id: 3cc2127f-d9ca-46a0-9628-89f702be82b3 | ||
name: Spoolsv Spawning Rundll32 | ||
description: | | ||
Look for the spoolsv.exe launching rundll32.exe with an empty command line. | ||
description-detailed: | | ||
Look for the spoolsv.exe launching rundll32.exe with an empty command line. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceProcessEvents | ||
tactics: | ||
- PrivilegeEscalation | ||
- Execution | ||
query: | | ||
DeviceProcessEvents | ||
| where InitiatingProcessParentFileName has "spoolsv.exe" | ||
| where InitiatingProcessFileName =~ "rundll32.exe" | ||
| where isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine endswith "rundll32.exe" //either commandline is empty or just "rundll32.exe" | ||
| where FileName !in~ ("WerFault.exe") | ||
version: 1.0.0 |
25 changes: 25 additions & 0 deletions
25
...ft Defender XDR/Hunting Queries/Exploits/SuspiciousFileCreationByPrintSpoolerService.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
id: daa347a4-8251-43a7-9730-32f22aa741ab | ||
name: Windows Print Spooler Service Suspicious File Creation | ||
description: | | ||
The query digs in Windows print spooler drivers folder for any file creations. This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999. | ||
description-detailed: | | ||
The query digs in Windows print spooler drivers folder for any file creations, | ||
MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Suspicious DLL is load from Spooler Service backup folder. | ||
This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999. | ||
requiredDataConnectors: | ||
- connectorId: MicrosoftThreatProtection | ||
dataTypes: | ||
- DeviceFileEvents | ||
tactics: | ||
- PrivilegeEscalation | ||
- LateralMovement | ||
relevantTechniques: | ||
- T1574 | ||
query: | | ||
DeviceFileEvents | ||
| where TimeGenerated > ago(7d) | ||
| where ActionType == "FileCreated" | ||
| where FileName endswith ".dll" | ||
| where FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\3\\" | ||
or FolderPath startswith "C:\\WINDOWS\\SYSTEM32\\SPOOL\\drivers\\x64\\\4\\" | ||
version: 1.0.0 |
Oops, something went wrong.